When you create an encrypted virtual machine from the vSphere Client, you can decide which disks to exclude from encryption. When you create an encrypted virtual machine from the vSphere Web Client, all virtual disks are encrypted. You can later add disks and set their encryption policies. You cannot add an encrypted disk to a virtual machine that is not encrypted, and you cannot encrypt a disk if the virtual machine is not encrypted.

Encryption for a virtual machine and its disks is controlled through storage policies. The storage policy for VM Home governs the virtual machine itself, and each virtual disk has an associated storage policy.
  • Setting the storage policy of VM Home to an encryption policy encrypts only the virtual machine itself.
  • Setting the storage policy of VM Home and all the disks to an encryption policy encrypts all components.
Consider the following use cases.
Table 1. Virtual Disk Encryption Use Cases
Use case Details
Create an encrypted virtual machine. If you add disks while creating an encrypted virtual machine, the disks are encrypted by default. You can change the policy to not encrypt one or more of the disks.

After virtual machine creation, you can explicitly change the storage policy for each disk. See Change the Encryption Policy for Virtual Disks.

Encrypt a virtual machine. To encrypt an existing virtual machine, you change its storage policy. You can change the storage policy for the virtual machine and all virtual disks. To encrypt just the virtual machine, you can specify an encryption policy for VM Home and select a different storage policy, such as Datastore Default, for each virtual disk. See Create an Encrypted Virtual Machine.
Add an existing unencrypted disk to an encrypted virtual machine (encryption storage policy). Fails with an error. You have to add the disk with the default storage policy, but can later change the storage policy. See Change the Encryption Policy for Virtual Disks.
Add an existing unencrypted disk to an encrypted virtual machine with a storage policy that does not include encryption, for example Datastore Default.

The disk uses the default storage policy. You can explicitly change the storage policy after adding the disk if you want an encrypted disk. See Change the Encryption Policy for Virtual Disks.

Add an encrypted disk to an encrypted virtual machine. VM Home storage policy is Encryption. When you add the disk, it remains encrypted. The vSphere Web Client displays the size and other attributes, including encryption status but might not display the correct storage policy. For consistency, change the storage policy.
Add an existing encrypted disk to an unencrypted virtual machine This use case is not supported.