Cryptographic operations privileges control who can perform which type of cryptographic operation on which type of object.
You can set this privilege at different levels in the hierarchy. For example, if you set a privilege at the folder level, you can propagate the privilege to one or more objects within the folder. The object listed in the Required On column must have the privilege set, either directly or inherited.
| Privilege Name in the vSphere Client | Description | Required On | Privilege Name in the API |
|---|---|---|---|
| Direct Access | Allows users access to encrypted resources. Users can export virtual machines, have NFC access to virtual machines, and open a console session to an encrypted virtual machine. | Virtual machine, host, or datastore | Cryptographer.Access |
| Add disk | Allows users to add a disk to an encrypted virtual machine. |
Virtual machine | Cryptographer.AddDisk |
| Clone | Allows users to clone an encrypted virtual machine. |
Virtual machine | Cryptographer.Clone |
| Decrypt | Allows users to decrypt a virtual machine or disk. |
Virtual machine | Cryptographer.Decrypt |
| Encrypt | Allows users to encrypt a virtual machine or a virtual machine disk. |
Virtual machine | Cryptographer.Encrypt |
| Encrypt new | Allows users to encrypt a virtual machine during virtual machine creation or a disk during disk creation. |
Virtual machine folder | Cryptographer.EncryptNew |
| Manage encryption policies | Allows users to manage virtual machine storage policies with encryption IO filters. By default, virtual machines that use the Encryption storage policy do not use other storage policies. | vCenter Server root folder | Cryptographer.ManageEncryptionPolicy |
| Manage KMS | Allows users to manage the Key Management Server for the vCenter Server system. Management tasks include adding and removing KMS instances, and establishing a trust relationship with the KMS. | vCenter Server system | Cryptographer.ManageKeyServers |
| Manage keys | Allows users to perform key management operations. These operations are not supported from the vSphere Client but can be performed by using crypto-util or the API. | vCenter Server root folder | Cryptographer.ManageKeys |
| Migrate | Allows users to migrate an encrypted virtual machine to a different ESXi host. Supports migration with or without vMotion and storage vMotion. Supports migration to a different vCenter Server instance. | Virtual machine | Cryptographer.Migrate |
| Recrypt | Allows users to recrypt virtual machines or disks with a different key. This privilege is required for both deep and shallow recrypt operations. | Virtual machine | Cryptographer.Recrypt |
| Register VM | Allows users to register an encrypted virtual machine with an ESXi host. | Virtual machine folder | Cryptographer.RegisterVM |
| Register host | Allows users to enable encryption on a host. You can enable encryption on a host explicitly, or the virtual machine creation process can enable it. | Host folder for standalone hosts, cluster for hosts in cluster | Cryptographer.RegisterHost |
| Read KMS information | Allows users to list vSphere Native Key Providers on the vCenter Server and on hosts. Also allows users to get vSphere Native Key Provider information. | vCenter Server or host | Cryptographer.ReadKeyServersInfo |
