To protect the enclave contents from disclosure and modifications, you can enable vSGX on a virtual machine in the VMware Host Client.

Some operations and features are not compatible with SGX.

  • Migration with Storage vMotion
  • Suspending or resuming the virtual machine
  • Taking a snapshot of the virtual machine
  • Fault Tolerance
  • Enabling Guest Integrity (GI, platform foundation for VMware AppDefense 1.0)


  • Power off the virtual machine.

  • Verify that the virtual machine uses EFI firmware.
  • Verify that the ESXi host is version 7.0 or later.
  • Verify that the guest operating system in the virtual machine is Linux, Windows 10 (64-bit) or later, or Windows Server 2016 (64-bit) or later.
  • Verify that you have the Virtual machine.Configuration.Modify device settings privilege on the virtual machine.
  • Verify that the ESXi host is installed on an SGX-capable CPU, and SGX is enabled in the BIOS of the ESXi host. For information about the supported CPUs, see


  1. In the VMware Host Client inventory, click Virtual Machines.
  2. Right-click a virtual machine in the list and select Edit settings from the pop-up menu.
  3. On the Virtual Hardware tab, expand Security devices.
  4. Select the Enable check box.
  5. Under Enclave page cache size, enter a new value in the text box and select the size in MB or GB from the drop-down menu.
    Note: The enclave page cache size must be a multiple of 2.
  6. From the Launch control configuration drop-down menu, select the appropriate mode.
    Option Action
    Locked Enables the launch enclave configuration.

    Under Launch enclave public key hash, enter a valid SHA256 hash.

    The SHA256 hash key must contain 64 characters.

    Unlocked Enables the launch enclave configuration of the guest operating system.
  7. Click Save.