Review Virtual Machine Encryption caveats to avoid problems later.

To understand which devices and features cannot be used with Virtual Machine Encryption, see Virtual Machine Encryption Interoperability.


Consider the following caveats when you plan your virtual machine encryption strategy.

  • When you clone an encrypted virtual machine or perform a Storage vMotion operation, you can attempt to change the disk format. Such conversions do not always succeed. For example, if you clone a virtual machine and attempt to change the disk format from lazy-zeroed thick format to thin format, the virtual machine disk keeps the lazy-zeroed thick format.

  • You cannot encrypt a virtual machine and its disks by using the Edit Settings menu. You have to change the storage policy instead. You can perform other encryption tasks such as encrypting an unencrypted disk of an encrypted virtual machine, by using the Edit Settings menu or changing the storage policy. See Encrypt an Existing Virtual Machine or Virtual Disk.

  • When you detach a disk from a virtual machine, the storage policy information for the virtual disk is not retained.

    • If the virtual disk is encrypted, you must explicitly set the storage policy to VM Encryption Policy or to a storage policy that includes encryption.

    • If the virtual disk is not encrypted, you can change the storage policy when you add the disk to a virtual machine.

    See Virtual Disk Encryption for details.

  • Decrypt core dumps before moving a virtual machine to a different cluster.

    The vCenter Server does not store KMS keys but only tracks the key IDs. As a result, vCenter Server does not store the ESXi host key persistently.

    Under certain circumstances, for example, when you move the ESXi host to a different cluster and reboot the host, vCenter Server assigns a new host key to the host. You cannot decrypt any existing core dumps with the new host key.

  • OVF Export is not supported for an encrypted virtual machine.

Virtual Machine Locked State

If the virtual machine key or one or more of the virtual disk keys are missing, the virtual machine enters a locked state. In a locked state, you cannot perform virtual machine operations.

  • When you encrypt both a virtual machine and its disks from the vSphere Web Client, the same key is used for both.

  • When you perform the encryption using the API, you can use different encryption keys for the virtual machine and for disks. In that case, if you attempt to power on a virtual machine, and one of the disk keys is missing, the power on operation fails. If you remove the virtual disk, you can power on the virtual machine.

See Resolve Missing Key Issues for troubleshooting suggestions.

Key Management Server (KMS)

You can add a KMS to a vCenter Server system only once. You cannot add the KMS twice, for example, in two different KMS cluster instances.