vSphere Virtual Machine Encryption has some limitations regarding devices and features that it can interoperate with in vSphere 6.5 and later releases.

You cannot perform certain tasks on an encrypted virtual machine.

  • For most virtual machine encryption operations, the virtual machine must be powered off. You can clone an encrypted virtual machine and you can perform a shallow recrypt while the virtual machine is powered on.

  • You cannot encrypt a virtual machine that has existing snapshots. Consolidate all existing snapshots before you perform the encryption.

Starting with vSphere 6.7, you can resume from a suspended state of an encrypted virtual machine, or revert to a memory snapshot of an encrypted machine. You can migrate an encrypted virtual machine with memory snapshot and suspended state between ESXi hosts.

You can use vSphere Virtual Machine Encryption with pure IPv6 mode or in mixed mode. You can configure the KMS with IPv6 addresses. Both vCenter Server and the KMS can be configured with only IPv6 addresses.

Certain features do not work with vSphere Virtual Machine Encryption.

  • vSphere Fault Tolerance

  • Cloning is supported conditionally.

    • Full clones are supported. The clone inherits the parent encryption state including keys. You can re-encrypt full clone to use new keys or decrypt the full clone.

      Linked clones are supported and clone inherits the parent encryption state including keys. You cannot decrypt the linked clone or re-encrypt a linked clone with different keys.

  • vSphere ESXi Dump Collector

  • Migration with vMotion of an encrypted virtual machine to a different vCenter Server instance. Encrypted migration with vMotion of an unencrypted virtual machine is supported.

  • vSphere Replication

  • Content Library

  • Not all backup solutions that use VMware vSphere Storage API - Data Protection (VADP) for virtual disk backup are supported.

    • VADP SAN backup solutions are not supported.

    • VADP hot add backup solutions are supported if the vendor supports encryption of the proxy VM that is created as part of the backup workflow. The vendor must have the privilege Cryptographic Operations > Encrypt Virtual Machine.

    • VADP NBD-SSL backup solutions are supported. The vendor application must have the privilege Cryptographic Operations > Direct Access.

  • You cannot use vSphere Virtual Machine Encryption for encryption on other VMware products such as VMware Workstation.

  • You cannot send output from an encrypted virtual machine to a serial port or parallel port. Even if the configuration appears to succeed, output is sent to a file.

Certain types of virtual machine disk configurations are not supported with vSphere Virtual Machine Encryption.

  • VMware vSphere Flash Read Cache.

  • A named virtual disk unassociated with a virtual machine, also called First Class Disk.

  • RDM (Raw Device Mapping).

  • Multi-writer or shared disks (MSCS, WSFC, or Oracle RAC). If a virtual disk is encrypted, and if you attempt to select Multi-writer in the Edit Settings page of the virtual machine, the OK button is disabled.