You can decrypt a virtual machine, its disks, or both, by changing the storage policy.

This task describes how to decrypt an encrypted virtual machine using the vSphere Client.

All encrypted virtual machines require encrypted vMotion. During virtual machine decryption, the Encrypted vMotion setting remains. To change this setting so that Encrypted vMotion is no longer used, change the setting explicitly.

This task explains how to perform decryption using storage policies. For virtual disks, you can also perform decryption using the Edit Settings menu.

Note: In the Virtual Machine Details pane, a vTPM-enabled virtual machine displays both a lock icon and an "Encrypted with key_provider" message. To remove a vTPM from a virtual machine, see Remove Virtual Trusted Platform Module from a Virtual Machine.

Prerequisites

  • The virtual machine must be encrypted.
  • The virtual machine must be powered off or in maintenance mode.
  • Required privileges: Cryptographic operations.Decrypt

Procedure

  1. Connect to vCenter Server by using the vSphere Client.
  2. Right-click the virtual machine that you want to change and select VM Policies > Edit VM Storage Policies.
    You can set the storage policy for the virtual machine files, represented by VM home, and the storage policy for virtual disks.
  3. Select a storage policy.
    • To decrypt the VM and its hard disks, toggle off Configure per disk, select a storage policy from the drop-down menu, and click OK.
    • To decrypt a virtual disk but not the virtual machine, toggle on Configure per disk, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and click OK.
    You cannot decrypt the virtual machine and leave the disk encrypted.
  4. If you prefer, you can use the vSphere Client to decrypt the virtual machine and disks from the Edit Settings menu.
    1. Right-click the virtual machine and select Edit Settings.
    2. Select the VM Options tab and expand Encryption.
    3. To decrypt the VM and its hard disks, choose None from the Encrypt VM drop-down menu.
    4. To decrypt a virtual disk but not the virtual machine, deselect the disk.
    5. Click OK.
  5. (Optional) You can change the Encrypted vMotion setting.
    1. Right-click the virtual machine and click Edit Settings.
    2. Click VM Options, and open Encryption.
    3. Set the Encrypted vMotion value.