You can encrypt an existing virtual machine or virtual disk by changing its storage policy. You can encrypt virtual disks only for encrypted virtual machines.
This task describes how to encrypt an existing virtual machine or virtual disk using the vSphere Client.
- Establish a trusted connection with the KMS and select a default KMS.
- Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
- Ensure that the virtual machine is powered off.
- Verify that you have the required privileges:
- If the host encryption mode is not Enabled, you also need .
- Connect to vCenter Server by using the vSphere Client.
- Right-click the virtual machine that you want to change and select
. You can set the storage policy for the virtual machine files, represented by VM home, and the storage policy for virtual disks.
- Select the storage policy.
You cannot encrypt the virtual disk of an unencrypted VM.
- To encrypt the VM and its hard disks, select an encryption storage policy and click OK.
- To encrypt the VM but not the virtual disks, toggle on Configure per disk, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and click OK.
- If you prefer, you can encrypt the virtual machine, or both virtual machine and disks, from the Edit Settings menu in the vSphere Client.
- Right-click the virtual machine and select Edit Settings.
- Select the VM Options tab, and open Encryption. Choose an encryption policy. If you deselect all disks, only the VM home is encrypted.
- Click OK.