Starting with vSphere 6.5, you can take advantage of virtual machine encryption. Encryption protects not only your virtual machine but also virtual machine disks and other files. You set up a trusted connection between vCenter Server and a key management server (KMS). vCenter Server can then retrieve keys from the KMS as needed.
You manage different aspects of virtual machine encryption in different ways.
Manage setup of the trusted connection with the KMS and perform most encryption workflows from the vSphere Web Client.
Manage automation of some advanced features from the vSphere Web Services SDK. See vSphere Web Services SDK Programming Guide and VMware vSphere API Reference.
Use the crypto-util command-line tool directly on the ESXi host for some special cases, for example, to decrypt the core dumps in a vm-support bundle.