With vSphere Virtual Machine Encryption, you can encrypt your sensitive workloads in an even more secure way. Access to encryption keys can be made conditional to the ESXi host being in a trusted state.

In vSphere 6.5 and 6.7, vCenter Server requests keys from an external Key Management Server (KMS). The KMS generates and stores the keys, and passes them to vCenter Server for distribution.

Starting in vSphere 7.0, you can configure vSphere Trust Authority, removing the need for vCenter Server to request keys from the KMS, and making access to the encryption keys conditional to the attestation state of a workload cluster. See vSphere Trust Authority.

You manage different aspects of virtual machine encryption in different ways.

For standard key providers:

  • Manage setup of the trusted connection with the KMS and perform most encryption workflows from the vSphere Client.
  • Manage automation of some advanced features from the vSphere Web Services SDK. See vSphere Web Services SDK Programming Guide and vSphere Web Services API Reference.
  • Use the crypto-util command-line tool directly on the ESXi host for some special cases, for example, to decrypt the core dumps in a vm-support bundle.

For vSphere Trust Authority trusted key providers:

  • Manage setup of the vSphere Trust Authority services and trusted connections, including trusted key providers, using PowerCLI cmdlets or vSphere APIs. See VMware PowerCLI Cmdlets Reference and vSphere Automation SDKs Programming Guide.