When you clone an encrypted virtual machine, the clone is encrypted with the same keys. To change keys for the clone, power off the virtual machine and perform a recrypt of the clone using the API. See vSphere Web Services SDK Programming Guide.
Prerequisites
- Establish a trusted connection with the KMS and select a default KMS.
- Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
- Required privileges:
-
- If the host encryption mode is not Enabled, you also must have privileges.
Procedure
- Browse to the virtual machine in the vSphere Client inventory.
- To create a clone of an encrypted machine, right-click the virtual machine, select , and follow the prompts.
| Option |
Action |
| Select a name and folder |
Specify a name and target location for the clone. |
| Select a compute resource |
Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks. |
| Select storage |
Make a selection in the Select virtual disk format menu and select a datastore. You cannot change the storage policy as part of the clone operation. |
| Select clone options |
Select clone options, as discussed in the vSphere Virtual Machine Administration documentation. |
| Ready to complete |
Review the information and click Finish. |
- (Optional) Change the keys for the cloned virtual machine.
By default, the cloned virtual machine is created with the same keys as its parent. Best practice is to change the cloned virtual machine's keys to ensure that multiple virtual machines do not have the same keys.
- Power off the virtual machine.
- Perform a recrypt of the clone using the API. See vSphere Web Services SDK Programming Guide.
To use a different DEK and KEK, perform a deep recrypt of the cloned virtual machine. To use a different KEK, perform a shallow recrypt of the cloned virtual machine. You can perform a shallow recrypt operation while the virtual machine is powered on, unless the virtual machine has snapshots present.
