When you create an encrypted virtual machine from the vSphere Client, you can select which virtual disks that you add during virtual machine creation are encrypted. You can decrypt virtual disks that are encrypted by using the Edit VM Storage Policies option.

Note: An encrypted virtual machine can have virtual disks that are not encrypted. However, an unencrypted virtual machine cannot have encrypted virtual disks.

See Virtual Disk Encryption.

This task describes how to change the encryption policy using storage policies. You can also use the Edit Settings menu to make this change.


  • You must have the Cryptographic operations.Manage encryption policies privilege.
  • Ensure that the virtual machine is powered off.


  1. Connect to vCenter Server by using the vSphere Client.
  2. Right-click the virtual machine and select VM Policies > Edit VM Storage Policies .
  3. Change the storage policy.
    • To change the storage policy for the VM and its hard disks, select an encryption storage policy and click OK.
    • To encrypt the VM but not the virtual disks, toggle on Configure per disk, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and click OK.
    You cannot encrypt the virtual disk of an unencrypted VM.
  4. If you prefer, you can change the storage policy from the Edit Settings menu.
    1. Right-click the virtual machine and select Edit Settings.
    2. Select the Virtual Hardware tab, expand a hard disk, and select an encryption policy from the drop-down menu.
    3. Click OK.