When you clone an encrypted virtual machine, the clone is encrypted with the same keys. To change keys for the clone, perform a recrypt of the clone using the API. For more information, see vSphere Web Services SDK Programming Guide.
You can perform the following operations during clone.
- Create an encrypted virtual machine from an unencrypted virtual machine or virtual machine template.
- Create a decrypted virtual machine from an encrypted virtual machine or virtual machine template.
- Recrypt the destination virtual machine with different keys from that of source virtual machine.
- Establish a trusted connection with the KMS and select a default KMS.
- Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
- Required privileges:
- If the host encryption mode is not Enabled, you also must have privilege.
- Navigate to the virtual machine in the vSphere Client inventory.
- Right-click the virtual machine and select .
- Navigate through pages of the wizard.
Select a name and folder Enter a name and select a data center or folder in which to deploy it. Select a compute resource Select an object for which you have privileges to create encrypted virtual machines. For information about prerequisites and required privileges for encryption tasks, see the vSphere Security documentation. Select storage Select the datastore or datastore cluster in which to store the template configuration files and all virtual disks. You can change the storage policy as part of the clone operation. For example, changing from using an encryption to non-encryption policy decrypts the disks. Select clone options Select additional customization options. Ready to complete Review and click Finish.
- (Optional) Change the keys for the cloned virtual machine.
By default, the cloned virtual machine is created with the same keys as its parent. Best practice is to change the cloned virtual machine keys to ensure that multiple virtual machines do not have the same keys.