After vCenter Server is connected to the KMS, users with the required privileges can create encrypted virtual machines and disks. Those users can also perform other encryption tasks such as encrypting existing virtual machines and decrypting encrypted virtual machines.

The process flow includes the KMS, the vCenter Server, and the ESXi host.

Note: The encryption process flow is different for vSphere Trust Authority. See vSphere Trust Authority Encryption Process Flow.
Figure 1. vSphere Virtual Encryption Architecture
The key is stored in the KMS. vCenter Server retrieves the key, keeps only the key ID, and sends the key to the ESXi host. The ESXi host uses the KMS key to encrypt the internal key that is used for encryption.
During the encryption process, different vSphere components interact as follows.
  1. When the user performs an encryption task, for example, creating an encrypted virtual machine, vCenter Server requests a new key from the default KMS. This key is used as the KEK.
  2. vCenter Server stores the key ID and passes the key to the ESXi host. If the ESXi host is part of a cluster, vCenter Server sends the KEK to each host in the cluster.

    The key itself is not stored on the vCenter Server system. Only the key ID is known.

  3. The ESXi host generates internal keys (DEKs) for the virtual machine and its disks. It keeps the internal keys in memory only, and uses the KEKs to encrypt internal keys.

    Unencrypted internal keys are never stored on disk. Only encrypted data is stored. Because the KEKs come from the KMS, the host continues to use the same KEKs.

  4. The ESXi host encrypts the virtual machine with the encrypted internal key.

    Any hosts that have the KEK and that can access the encrypted key file can perform operations on the encrypted virtual machine or disk.

The Key Management Interoperability Protocol (KMIP) supports adding custom attributes intended for vendor-specific purposes. Custom attributes enable you to more specifically identify keys stored in your KMS. vCenter Server adds the following custom attributes for virtual machine keys and host keys.

Table 1. Virtual Machine Encryption Custom Attributes
Custom Attribute Value
x-Vendor VMware, Inc.
x-Product VMware vSphere
x-Product_Version vCenter Server version
x-Component Virtual Machine
x-Name Virtual machine name (gathered from ConfigInfo or ConfigSpec)
x-Identifier Virtual machine's instanceUuid (gathered from ConfigInfo or ConfigSpec)
Table 2. Host Encryption Custom Attributes
Custom Attribute Value
x-Vendor VMware, Inc.
x-Product VMware vSphere
x-Product_Version vCenter Server version
x-Component ESXi Server
x-Name Host name
x-Identifier Host's hardware Uuid

vCenter Server adds the x-Vendor, x-Product, and x-Product_Version attributes when the KMS creates a key. When the key is used to encrypt a virtual machine or host, vCenter Server sets the x-Component, x-Identifier, and x-Name attributes. You might be able to view these custom attributes in your KMS user interface. Check with your KMS vendor.

Both the host key and virtual machine key have the six custom attributes. x-Vendor, x-Product, and x-Product_Version might be the same for both keys. These attributes are set when the key is generated. Depending on if the key is for a virtual machine or a host, it might have x-Component, x-Identifier, and x-Name attributes appended.

If you later want to decrypt a virtual machine, you change its storage policy. You can change the storage policy for the virtual machine and all disks. If you want to decrypt individual components, decrypt selected disks first, then decrypt the virtual machine by changing the storage policy for VM Home. Both keys are required for decryption of each component.

When an error occurs sending keys from the KMS to an ESXi host, vCenter Server generates a message in the event log for the following events:

  • Adding keys to the ESXi host failed due to host connection or host support issues.
  • Getting keys from the KMS failed due to key missing in the KMS.
  • Getting keys from the KMS failed due to the KMS connection.