vSphere Virtual Machine Encryption has some limitations regarding devices and features that it can interoperate with.
You cannot perform certain tasks on an encrypted virtual machine.
- For most virtual machine encryption operations, the virtual machine must be powered off. You can clone an encrypted virtual machine and you can perform a shallow recrypt while the virtual machine is powered on.
- You can perform a shallow recrypt on a virtual machine with snapshots. You cannot perform a deep recrypt on a virtual machine with snapshots.
You can resume from a suspended state of an encrypted virtual machine, or revert to a memory snapshot of an encrypted machine. You can migrate an encrypted virtual machine with memory snapshot and suspended state between ESXi hosts.
You can use vSphere Virtual Machine Encryption with pure IPv6 mode or in mixed mode. You can configure the KMS with IPv6 addresses. Both vCenter Server and the KMS can be configured with only IPv6 addresses.
- vSphere Fault Tolerance
- Cloning is supported conditionally.
Full clones are supported. The clone inherits the parent encryption state including keys. You can encrypt the full clone, re-encrypt the full clone to use new keys, or decrypt the full clone.
Linked clones are supported and clone inherits the parent encryption state including keys. You cannot decrypt the linked clone or re-encrypt a linked clone with different keys.
- vSphere ESXi Dump Collector
- Content Library
- Not all backup solutions that use VMware vSphere Storage API - Data Protection (VADP) for virtual disk backup are supported.
- VADP SAN backup solutions are not supported.
- VADP hot add backup solutions are supported if the vendor supports encryption of the proxy VM that is created as part of the backup workflow. The vendor must have the privilege .
- VADP NBD-SSL backup solutions are supported. The vendor application must have the privilege .
- You cannot use vSphere Virtual Machine Encryption for encryption on other VMware products such as VMware Workstation.
- You cannot send output from an encrypted virtual machine to a serial port or parallel port. Even if the configuration appears to succeed, output is sent to a file.
- RDM (Raw Device Mapping).
- Multi-writer or shared disks (MSCS, WSFC, or Oracle RAC). If a virtual disk is encrypted, and if you attempt to select Multi-writer in the Edit Settings page of the virtual machine, the OK button is disabled.