When you clone an encrypted virtual machine, the clone is encrypted with the same keys. To change keys for the clone, power off the clone and perform a shallow recrypt of the clone using the API. See the vSphere Web Services SDK Programming Guide.

You do not have to power off the virtual machine to clone it.


  • Establish a trusted connection with the KMS and select a default KMS.

  • Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.

  • Required privileges:

    • Cryptographic operations > Clone

    • If the host encryption mode is not Enabled, you also must have Cryptographic operations > Register host privileges.


  1. Connect to vCenter Server by using the vSphere Web Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Right-click the virtual machine, and follow the prompts to create the clone of an encrypted virtual machine.



    Select a name and folder

    Specify a name and target location for the clone.

    Select a compute resource

    Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks.

    Select storage

    Make a selection in the Select virtual disk format menu and select a datastore. You cannot change the storage policy as part of the clone operation.

    Select clone options

    Select clone options, as discussed in the vSphere Virtual Machine Administration documentation.

    Ready to complete

    Review the information and click Finish.