vSphere Virtual Machine Encryption has some limitations regarding devices and features that it can interoperate with in vSphere 6.5 and later releases.

The following limitations and remarks refer to using vSphere Virtual Machine Encryption. For similar information about using vSAN encryption, see the Administering VMware vSAN documentation.

Limitations on Certain Encryption Tasks

Some restrictions apply when performing certain tasks on an encrypted virtual machine.

  • For most virtual machine encryption operations, you must power off the virtual machine. You can clone an encrypted virtual machine and you can perform a shallow recrypt while the virtual machine is powered on.
    Note: Virtual machines configured with IDE controllers must be powered off to perform a shallow rekey operation.
  • You cannot perform a deep recrypt on a virtual machine with snapshots. You can perform a shallow recrypt on a virtual machine with snapshots.

Virtual Trusted Platform Module Devices and vSphere Virtual Machine Encryption

A virtual Trusted Platform Module (vTPM) is a software-based representation of a physical Trusted Platform Module 2.0 chip. You can add a vTPM to either a new or an existing virtual machine. To add a vTPM to a virtual machine, you must configure a Key Management Server (KMS) in your vSphere environment. When you configure a vTPM, the virtual machine “home” files are encrypted (memory swap, NVRAM files, and so on). The disk files, or VMDK files, are not automatically encrypted. You can choose to add encryption explicitly for the virtual machine disks.

Caution: Cloning a virtual machine duplicates the entire virtual machine, including the virtual devices such as a vTPM. Information stored in the vTPM, including properties of the vTPM that software can use to determine a system’s identity, is also duplicated.

vSphere Virtual Machine Encryption and Suspended State and Snapshots

Starting with vSphere 6.7, you can resume from a suspended state of an encrypted virtual machine, or revert to a memory snapshot of an encrypted machine. You can migrate an encrypted virtual machine with memory snapshot and suspended state between ESXi hosts.

vSphere Virtual Machine Encryption and IPv6

You can use vSphere Virtual Machine Encryption with pure IPv6 mode or in mixed mode. You can configure the KMS with IPv6 addresses. You can configure both the vCenter Server and the KMS with only IPv6 addresses.

Limitations on Cloning in vSphere Virtual Machine Encryption

Certain cloning features do not work with vSphere Virtual Machine Encryption.
  • Cloning is supported conditionally.

    • Full clones are supported. The clone inherits the parent encryption state including keys. You can encrypt the full clone, re-encrypt the full clone to use new keys, or decrypt the full clone.

      Linked clones are supported and the clone inherits the parent encryption state including keys. You cannot decrypt the linked clone or re-encrypt a linked clone with different keys.

      Note: Verify that other applications support linked clones. For example, VMware Horizon ® 7 supports both full clones and instant clones, but not linked clones.
  • Instant clone is supported, but you cannot change encryption keys on clone.

Unsupported Disk Configurations with vSphere Virtual Machine Encryption

Certain types of virtual machine disk configurations are not supported with vSphere Virtual Machine Encryption.

  • RDM (Raw Device Mapping). However, vSphere Virtual Volumes (vVols) are supported.
  • Multi-writer or shared disks (MSCS, WSFC, or Oracle RAC). Encrypted virtual machine “home” files are supported for multi-writer disks. Encrypted virtual disks are not supported for multi-writer disks. If you attempt to select Multi-writer in the Edit Settings page of the virtual machine with encrypted virtual disks, the OK button is deactivated.

Miscellaneous Limitations in vSphere Virtual Machine Encryption

Other features that do not work with vSphere Virtual Machine Encryption include the following:

  • vSphere Fault Tolerance
  • vSphere ESXi Dump Collector
  • Migration with vMotion of an encrypted virtual machine to a different vCenter Server instance. Encrypted migration with vMotion of an unencrypted virtual machine is supported.
  • Content Library
    • Content libraries support two types of templates, the OVF Template type and the VM Template type. You cannot export an encrypted virtual machine to the OVF Template type. The OVF Tool does not support encrypted virtual machines. You can create encrypted VM templates using the VM Template type. See the vSphere Virtual Machine Administration documentation.
  • Software for backing up encrypted virtual disks must use the VMware vSphere Storage API - Data Protection (VADP) to either back up the disks in hot-add mode or NBD mode with SSL enabled. However, not all backup solutions that use VADP for virtual disk backup are supported. Check with your backup vendor for details.
    • VADP SAN transport mode solutions are not supported for backing up encrypted virtual disks.
    • VADP Hot-Add solutions are supported for encrypted virtual disks. The backup software must support encryption of the proxy VM that is used as part of the hot-add backup workflow. The vendor must have the privilege Cryptographic Operations.Encrypt Virtual Machine.
    • Backup solutions using the NBD-SSL transport modes are supported for backing up encrypted virtual disks. The vendor application must have the privilege Cryptographic Operations.Direct Access.
  • You cannot send output from an encrypted virtual machine to a serial port or parallel port. Even if the configuration appears to succeed, output is sent to a file.
  • vSphere Virtual Machine Encryption is not supported in VMware Cloud on AWS. See the Managing the VMware Cloud on AWS Data Center documentation.