vSphere Virtual Machine Encryption has some limitations regarding devices and features that it can interoperate with.

Limitations on Certain Encryption Tasks

You cannot perform certain tasks on an encrypted virtual machine.

  • For most virtual machine encryption operations, the virtual machine must be powered off. You can clone an encrypted virtual machine and you can perform a shallow recrypt while the virtual machine is powered on.
  • You can perform a shallow recrypt on a virtual machine with snapshots. You cannot perform a deep recrypt on a virtual machine with snapshots.

You can resume from a suspended state of an encrypted virtual machine, or revert to a memory snapshot of an encrypted machine. You can migrate an encrypted virtual machine with memory snapshot and suspended state between ESXi hosts.

vSphere Virtual Machine Encryption and IPv6

You can use vSphere Virtual Machine Encryption with pure IPv6 mode or in mixed mode. You can configure the key server with IPv6 addresses. Both vCenter Server and the key server can be configured with only IPv6 addresses.

Limitations on vSphere Virtual Machine Encryption Features

Certain features do not work with vSphere Virtual Machine Encryption.
  • vSphere Fault Tolerance
  • For a standard key provider, cloning is supported conditionally.
    • Full clones are supported. The clone inherits the parent encryption state including keys. You can encrypt the full clone, re-encrypt the full clone to use new keys, or decrypt the full clone.

      Linked clones are supported and clone inherits the parent encryption state including keys. You cannot decrypt the linked clone or re-encrypt a linked clone with different keys.

  • For a trusted key provider, cloning is supported, but encryption keys cannot be changed on clone. This behavior contrasts with standard encryption where keys can be changed when creating a clone. The following operations are not supported by vSphere Trust Authority during cloning of a virtual machine:
    • Cloning from an unencrypted virtual machine to an encrypted virtual machine
    • Cloning from an encrypted virtual machine and changing the encryption keys
  • Instant clone is supported by all key provider types, but you cannot change encryption keys on clone.
  • vSphere ESXi Dump Collector
  • Content Library
  • Not all backup solutions that use VMware vSphere Storage API - Data Protection (VADP) for virtual disk backup are supported.
    • VADP SAN backup solutions are not supported.
    • VADP hot add backup solutions are supported if the vendor supports encryption of the proxy VM that is created as part of the backup workflow. The vendor must have the privilege Cryptographic Operations.Encrypt Virtual Machine.
    • VADP NBD-SSL backup solutions are supported. The vendor application must have the privilege Cryptographic Operations.Direct Access.
  • You cannot use vSphere Virtual Machine Encryption for encryption on other VMware products such as VMware Workstation.
  • You cannot send output from an encrypted virtual machine to a serial port or parallel port. Even if the configuration appears to succeed, output is sent to a file.
Certain types of virtual machine disk configurations are not supported with vSphere Virtual Machine Encryption.
  • RDM (Raw Device Mapping).
  • Multi-writer or shared disks (MSCS, WSFC, or Oracle RAC). If a virtual disk is encrypted, and if you attempt to select Multi-writer in the Edit Settings page of the virtual machine, the OK button is disabled.