Using Cryptography Privileges and Roles

You can assign the No cryptography administrator role to vCenter Server administrators that do not need Cryptographic Operations privileges.

To impose more limits on what users can do, you can clone the No cryptography administrator role and create a custom role with only some of the Cryptographic Operations privileges. For example, you can create a role that allows users to encrypt but not to decrypt virtual machines. See Using vCenter Server Roles to Assign Privileges.

What Is Host Encryption Mode

Host encryption mode determines if an ESXi host is ready to accept cryptographic material for encrypting virtual machines and virtual disks. Before any cryptographic operations can occur on a host, encryption mode must be activated. Host encryption mode is often set automatically when it is required, but you can set it explicitly. You can check and explicitly set the current host encryption mode from the vSphere Client or by using the vSphere API.

When host encryption mode is activated, vCenter Server installs a host key on the host, which ensures that the host is cryptographically "safe." With the host key in place, other cryptographic operations can proceed, including vCenter Server obtaining keys from the key provider and pushing them to the ESXi hosts.

In "safe" mode, user worlds (that is, hostd) and encrypted virtual machines have their core dumps encrypted. Unencrypted virtual machines do not have their core dumps encrypted.

For more information about encrypted core dumps and how they are used by VMware Technical Support, see the VMware knowledge base article at https://kb.vmware.com/s/article/2147388.

For instructions, see Activate Host Encryption Mode Explicitly.

After host encryption mode is set, it cannot be deactivated easily. See Deactivate Host Encryption Mode Using the API.

Automatic changes occur when encryption operations attempt to set host encryption mode. For example, assume that you add an encrypted virtual machine to a standalone host. Host encryption mode is not set. If you have the required privileges on the host, encryption mode is automatically set.

Assume that a cluster has three ESXi hosts, host A, B, and C. You create an encrypted virtual machine on host A. What happens depends on several factors.

• If hosts A, B, and C already have host encryption mode set, you need only Cryptographic operations.Encrypt new privileges to create the virtual machine.
• If hosts A and B are set for host encryption, and C is not, the system proceeds as follows.
  • Assume that you have both the Cryptographic operations.Encrypt new and the Cryptographic operations.Register host privileges on each host. In this case, the encryption process sets host encryption mode on host C, and pushes the key to each host in the cluster.

    For this case, you can also explicitly set host encryption mode on host C.

  • Assume that you have only Cryptographic operations.Encrypt new privileges on the virtual machine or virtual machine folder. In that case, virtual machine creation succeeds and the key becomes available on host A and host B. Host C remains deactivated for encryption and does not have the virtual machine key.
• If none of the hosts has host encryption mode set, and you have Cryptographic operations.Register host privileges on host A, then the virtual machine creation process sets host encryption mode on that host. Otherwise, for hosts B and C, an error results.
• You can also use the vSphere API to set the encryption mode of a cluster to "force enable." Force enable causes all hosts in the cluster to be cryptographically "safe," that is, vCenter Server has installed a host key on the host. See vSphere Web Services SDK Programming Guide.

Disk Space Requirements When Encrypting Virtual Machines

When you encrypt an existing virtual machine, you need at least twice the space that the virtual machine is currently using.