You can use the vSphere Client to perform a shallow rekey of an encrypted virtual machine. You might perform a rekey of an encrypted virtual machine for business or compliance reasons.

A shallow rekey (also called recrypt) replaces only the Key Encryption Key (KEK). You do not need to power off the encrypted virtual machine to perform a shallow rekey. If you need to replace both the Disk Encryption Key (DEK) and the KEK, you must perform a deep rekey.

Note: Virtual machines configured with IDE controllers must be powered off to perform a shallow rekey operation.

For more conceptual information, see How Do You Recrypt (Rekey) an Encrypted Virtual Machine.

Prerequisites

Required privilege: Cryptographic operations.Recrypt

Procedure

  1. Log in to the vCenter Server system with the vSphere Client.
  2. Browse the inventory list and select the encrypted virtual machine.
  3. Right-click the encrypted virtual machine and select VM Policies.
  4. Select Re-encrypt.
  5. Click Yes.
    The encrypted virtual machine is rekeyed with the new KEK.
    Note: If the rekey fails, the events subsystem posts the following event: 
    com.vmware.vc.vm.crypto.RekeyFail