When you create an encrypted virtual machine from the vSphere Client, you can decide which disks to exclude from encryption. You can later add disks and set their encryption policies. You cannot add an encrypted disk to a virtual machine that is not encrypted, and you cannot encrypt a disk if the virtual machine is not encrypted.

Encryption for a virtual machine and its disks is controlled through storage policies. The storage policy for VM Home governs the virtual machine itself, and each virtual disk has an associated storage policy.
  • Setting the storage policy of VM Home to an encryption policy encrypts only the virtual machine itself.
  • Setting the storage policy of VM Home and all the disks to an encryption policy encrypts all components.

Consider the following use cases.

Table 1. Virtual Disk Encryption Use Cases
Use Case Details
Create an encrypted virtual machine. If you add disks while creating an encrypted virtual machine, the disks are encrypted by default. You can change the policy not to encrypt one or more of the disks.

After virtual machine creation, you can explicitly change the storage policy for each disk. See Change the Encryption Policy for Virtual Disks.

Encrypt a virtual machine. To encrypt an existing virtual machine, you change its storage policy. You can change the storage policy for the virtual machine and all virtual disks. To encrypt just the virtual machine, you can specify an encryption policy for VM Home and select a different storage policy, such as Datastore Default, for each virtual disk. See Create an Encrypted Virtual Machine.
Add an existing unencrypted disk to an encrypted virtual machine (encryption storage policy). Fails with an error. You have to add the disk with the default storage policy, but can later change the storage policy. See Change the Encryption Policy for Virtual Disks.
Add an existing unencrypted disk to an encrypted virtual machine with a storage policy that does not include encryption, for example Datastore Default.

The disk uses the default storage policy. You can explicitly change the storage policy after adding the disk if you want an encrypted disk. See Change the Encryption Policy for Virtual Disks.

Add an encrypted disk to an encrypted virtual machine. VM Home storage policy is Encryption. When you add the disk, it remains encrypted. The vSphere Client displays the size and other attributes, including encryption status.
Add an existing encrypted disk to an unencrypted virtual machine. This use case is not supported.
Register an encrypted virtual machine.

If you remove an encrypted virtual machine from vCenter Server but do not delete it from disk, you can return it to the vCenter Server inventory by registering the VM's virtual machine configuration (.vmx) file. To register the encrypted VM, the user must have the Cryptographic operations.Register VM privilege.

If the VM was encrypted using a standard key provider, when the encrypted VM is registered, vCenter Server pushes the required keys to the ESXi host. If the user registering the VM does not have the Cryptographic operations.Register VM privilege, vCenter Server locks the VM upon registration, and the VM is not usable until it is unlocked.

If the VM was encrypted using a trusted key provider or vSphere Native Key Provider, when the encrypted VM is registered, vCenter Server no longer pushes keys to the ESXi host. Instead, the keys are fetched from the host when the VM is registered. If the user registering the VM does not have the Cryptographic operations.Register VM privilege, vCenter Server does not permit the operation.