Before you can create encrypted virtual machines, you must create an encryption storage policy. You create the storage policy once, and assign it each time you encrypt a virtual machine or virtual disk.

If you want to use virtual machine encryption with other I/O filters, or to use the Create VM Storage Policy wizard in the vSphere Client, see the vSphere Storage documentation for details.


  • Set up the connection to a key provider.

    Although you can create a VM Encryption storage policy without the key provider connection in place, you cannot perform encryption tasks until trusted connection with the key provider is established.

  • Required privileges: Cryptographic operations.Manage encryption policies.


  1. Log in to the vCenter Server by using the vSphere Client.
  2. Select Home, click Policies and Profiles, then click VM Storage Policies.
  3. Click Create.
  4. Select the vCenter Server, enter a policy name, optionally enter a description, then click Next.
  5. On the Policy structure page, check Enable host based roles then click Next.
  6. On the Host based services page, select Use storage policy component, choose Default encryption properties from the drop-down menu, then click Next.
  7. On the Storage compatibility page, leave Compatible selected, select a datastore, then click Next.
  8. Review the information and click Finish.


The VM Encryption storage policy is added to the list, and is available for use when encrypting a virtual machine.