Before you can create encrypted virtual machines, you must create an encryption storage policy. You create the storage policy once, and assign it each time you encrypt a virtual machine or virtual disk.

If you want to use virtual machine encryption with other I/O filters, or to use the Create VM Storage Policy wizard in the vSphere Client, see the vSphere Storage documentation for details.


  • Set up the connection to the KMS.

    Although you can create a VM Encryption storage policy without the KMS connection in place, you cannot perform encryption tasks until trusted connection with the KMS server is established.

  • Required privileges: Cryptographic operations.Manage encryption policies.


  1. Log in to the vCenter Server by using the vSphere Client.
  2. Select Home, click Policies and Profiles, and click VM Storage Policies.
  3. Click Create VM Storage Policy.
  4. Specify the storage policy values.
    1. Enter a storage policy name and optional description and click Next.
    2. If you are new to this wizard, review the Policy structure information, and click Next.
    3. Select the Use common rules in the VM storage policy check box.
    4. Click Add component and select Encryption > Default Encryption Properties and click Next.
      The default properties are appropriate in most cases. You need a custom policy only if you want to combine encryption with other features such as caching or replication.
    5. Deselect the Use rule-sets in the storage policy check box and click Next.
    6. On the Storage compatibility page, leave Compatible selected, select a datastore, and click Next.
    7. Review the information and click Finish.