You can use the vSphere Client to perform a shallow rekey of an encrypted virtual machine. You might perform a rekey of an encrypted virtual machine for business or compliance reasons.

A shallow rekey, or rekey (also called a shallow recrypt), enables you to use a new (and different) Key Encryption Key (KEK) on an encrypted virtual machine. You can perform a rekey operation while the virtual machine is powered on. You can also perform a rekey if the virtual machine has snapshots present. Rekeying of an encrypted virtual machine with snapshots is permitted only on a single snapshot branch (disk chain). Multiple snapshot branches are not supported. If the rekey fails before updating all links in the chain with the new KEK, you can still access the encrypted virtual machine if you have the old and new KEKs.


Required privilege: Cryptographic operations.Manage key servers


  1. Log in to the vCenter Server system with the vSphere Client.
  2. Browse the inventory list and select the encrypted virtual machine.
  3. Right-click the encrypted virtual machine and select VM Policies.
  4. Select Re-encrypt.
  5. Click Yes.
    The encrypted virtual machine is rekeyed with the new KEK.
    Note: If the rekey fails, the events subsystem posts the following event: