After you set up the KMS, you can create encrypted virtual machines.

This task describes how to create an encrypted virtual machine using the vSphere Client. The vSphere Client filters by virtual machine encryption storage policies, easing creation of encrypted virtual machines.

Note: Creating an encrypted virtual machine is faster and uses fewer storage resources than encrypting an existing virtual machine. If possible, encrypt virtual machines during the creation process.


  • Establish a trusted connection with the KMS and select a default KMS.
  • Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
  • Ensure that the virtual machine is powered off.
  • Verify that you have the required privileges:
    • Cryptographic operations.Encrypt new
    • If the host encryption mode is not Enabled, you also need Cryptographic operations.Register host.


  1. Connect to vCenter Server by using the vSphere Client.
  2. Select an object in the inventory that is a valid parent object of a virtual machine, for example, an ESXi host or a cluster.
  3. Right-click the object and select New Virtual Machine.
  4. Follow the prompts to create an encrypted virtual machine.
    Option Action
    Select a creation type Create a new virtual machine.
    Select a name and folder Specify a unique name and target location for the virtual machine.
    Select a compute resource Specify an object for which you have privileges to create encrypted virtual machines. See Prerequisites and Required Privileges for Encryption Tasks.
    Select storage

    Select the Encrypt this virtual machine check box. Virtual machine storage policies that include encryption appear. Select a virtual machine storage policy (the bundled sample is VM Encryption Policy), and select a compatible datastore.

    Select compatibility Select the compatibility. You can migrate an encrypted virtual machine only to hosts with compatibility ESXi 6.5 and later.
    Select a guest OS Select a guest OS that you plan to install on the virtual machine later.
    Customize hardware

    Customize the hardware, for example, by changing disk size or CPU.

    (Optional) Select the VM Options tab, and expand Encryption. Select which disks to exclude from encryption. When you deselect a disk, only the VM Home and any other selected disks are encrypted.

    Any New Hard disk that you add is encrypted. You can change the storage policy for individual hard disks later.

    Ready to complete Review the information and click Finish.