After you set up the KMS, you can create encrypted virtual machines.

This task describes how to create an encrypted virtual machine using either the vSphere Web Client or the vSphere Client (HTML5-based client). The vSphere Client filters storage policies to those that include virtual machine encryption, easing creation of encrypted virtual machines.

Note: Creating an encrypted virtual machine is faster and uses fewer storage resources than encrypting an existing virtual machine. If possible, encrypt virtual machine during the creation process.

Prerequisites

  • Establish a trusted connection with the KMS and select a default KMS.
  • Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
  • Ensure that the virtual machine is powered off.
  • Verify that you have the required privileges:
    • Cryptographic operations.Encrypt new
    • If the host encryption mode is not Enabled, you also need Cryptographic operations.Register host.

Procedure

  1. Connect to vCenter Server by using either the vSphere Client (HTML5-based client) or the vSphere Web Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Create the virtual machine.
    • vSphere Client: Right-click the object and select New Virtual Machine.
    • vSphere Web Client: Right-click the object, select New Virtual Machine > New Virtual Machine.
  4. Follow the prompts to create an encrypted virtual machine.
    Option Action
    Select a creation type Create a new virtual machine.
    Select a name and folder Specify a unique name and target location for the virtual machine.
    Select a compute resource Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks.
    Select storage

    vSphere Client: Select the Encrypt this virtual machine check box. Virtual machine storage policies are filtered to those that include encryption. Select a VM storage policy (the bundled sample is VM Encryption Policy), and select a compatible datastore.

    vSphere Web Client: Select a VM storage policy with encryption (the bundled sample is VM Encryption Policy). Select a compatible datastore.

    Select compatibility Select the compatibility. You can migrate an encrypted virtual machine only to hosts with compatibility ESXi 6.5 and later.
    Select a guest OS Select a guest OS that you plan to install on the virtual machine later.
    Customize hardware

    Customize the hardware, for example, by changing disk size or CPU.

    vSphere Client: (Optional) Select the VM Options tab, and open Encryption. Choose which disks to exclude from encryption. When you deselect a disk, only the VM Home and any other selected disks are encrypted.

    Any New Hard disk that you add is encrypted. You can change the storage policy for individual hard disks later.

    Ready to complete Review the information and click Finish.