vSphere Virtual Machine Encryption has some limitations regarding devices and features that it can interoperate with in vSphere 6.5.

You cannot perform certain tasks on an encrypted virtual machine.
  • For most virtual machine encryption operations, you must power off the virtual machine. You can clone an encrypted virtual machine and you can perform a shallow recrypt while the virtual machine is powered on.
    Note: Virtual machines configured with IDE controllers must be powered off to perform a shallow rekey operation.
  • You cannot suspend or resume an encrypted virtual machine.
  • Snapshot operations have some limitations.
    • You cannot select Capture the virtual machine's memory check box when you create a snapshot of an encrypted virtual machine.
    • You cannot encrypt a virtual machine that has existing snapshots. Consolidate all existing snapshots before you perform the encryption.

You can use vSphere Virtual Machine Encryption with pure IPv6 mode or in mixed mode. You can configure the KMS with IPv6 addresses. Both vCenter Server and the KMS can be configured with only IPv6 addresses.

Certain features do not work with vSphere Virtual Machine Encryption.
  • vSphere Fault Tolerance
  • Cloning is supported conditionally.

    • Full clones are supported. The clone inherits the parent encryption state including keys. You can re-encrypt full clone to use new keys or decrypt the full clone.

      Linked clones are supported and clone inherits the parent encryption state including keys. You cannot decrypt the linked clone or re-encrypt a linked clone with different keys.

  • vSphere ESXi Dump Collector
  • Migration with vMotion of an encrypted virtual machine to a different vCenter Server instance. Encrypted migration with vMotion of an unencrypted virtual machine is supported.
  • vSphere Replication
  • Content Library
  • Not all backup solutions that use VMware vSphere Storage API - Data Protection (VADP) for virtual disk backup are supported.
    • VADP SAN backup solutions are not supported.
    • VADP hot add backup solutions are supported if the vendor supports encryption of the proxy VM that is created as part of the backup workflow. The vendor must have the privilege Cryptographic Operations.Encrypt Virtual Machine.
    • VADP NBD-SSL backup solutions are supported. The vendor application must have the privilege Cryptographic Operations.Direct Access.
  • You can use vSphere Virtual Machine Encryption with IPv6 in mixed mode, but not in a pure IPv6 environment. Connecting to a KMS by using only an IPv6 address is not supported.
  • You cannot use vSphere Virtual Machine Encryption for encryption on other VMware products such as VMware Workstation.
  • You cannot send output from an encrypted virtual machine to a serial port or parallel port. Even if the configuration appears to succeed, output is sent to a file.
  • You cannot perform a suspend or a memory snapshot operation on an encrypted virtual machine.
Certain types of virtual machine disk configurations are not supported with vSphere Virtual Machine Encryption.
  • VMware vSphere Flash Read Cache
  • First Class Disks
  • RDM (Raw Device Mapping)
  • Multi-writer or shared disks (MSCS, WSFC, or Oracle RAC). If a virtual disk is encrypted, and if you attempt to select Multi-writer in the Edit Settings page of the virtual machine, the OK button is disabled.