You can encrypt an existing virtual machine or virtual disk by changing its storage policy. You can encrypt virtual disks only for encrypted virtual machines.

This task describes how to encrypt an existing virtual machine or virtual disk using the vSphere Client.

Prerequisites

  • Establish a trusted connection with the KMS and select a default KMS.
  • Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
  • Ensure that the virtual machine is powered off.
  • Verify that you have the required privileges:
    • Cryptographic operations.Encrypt new
    • If the host encryption mode is not Enabled, you also need Cryptographic operations.Register host.

Procedure

  1. Connect to vCenter Server by using the vSphere Client.
  2. Right-click the virtual machine that you want to change and select VM Policies > Edit VM Storage Policies.
    You can set the storage policy for the virtual machine files, represented by VM home, and the storage policy for virtual disks.
  3. Select the storage policy.
    • To encrypt the VM and its hard disks, select an encryption storage policy and click OK.
    • To encrypt the VM but not the virtual disks, toggle on Configure per disk, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and click OK.
    Prior to vSphere 7.0 Update 3i, you cannot encrypt the virtual disk of an unencrypted virtual machine. In vSphere Update 3i and later, the vSphere Client prompts if you want to reconfigure the unencrypted virtual machine with the encrypted disk by encrypting VM Home.
  4. If you prefer, you can encrypt the virtual machine, or both virtual machine and disks, from the Edit Settings menu in the vSphere Client.
    1. Right-click the virtual machine and select Edit Settings.
    2. Select the VM Options tab, and open Encryption. Choose an encryption policy. If you deselect all disks, only the VM home is encrypted.
    3. Click OK.