A cloned, encrypted virtual machine is encrypted with the same keys unless you change them. To change keys, you can use the vSphere Client, the PowerCLI, or the API. If you use the PowerCLI or the API, you can clone the encrypted virtual machine and change keys in one step.

You can perform the following operations during clone.

  • Create an encrypted virtual machine from an unencrypted virtual machine or template virtual machine.
  • Create a decrypted virtual machine from an encrypted virtual machine or template virtual machine.
  • Recrypt the destination virtual machine with different keys from that of source virtual machine.
  • In vSphere 8.0 and later, selecting the Replace option for a virtual machine with a vTPM starts with a new, blank vTPM, which gets its own secrets and identity.
Note: vSphere 8.0 and later includes the vpxd.clone.tpmProvisionPolicy advanced setting to make the default clone behavior for vTPMs to be "replace."

You can create an instant clone virtual machine from an encrypted virtual machine with the caution that the instant clone shares the same key with the source virtual machine. You cannot recrypt keys on either the source or the instant clone virtual machine.

To use the API to clone encrypted machines, see vSphere Web Services SDK Programming Guide.

Prerequisites

  • A key provider must be configured and enabled.
  • Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
  • Required privileges (applies to all key providers):
    • Cryptographic operations.Clone
    • Cryptographic operations.Encrypt
    • Cryptographic operations.Decrypt
    • Cryptographic operations.Recrypt
    • If the host encryption mode is not enabled, you also must have Cryptographic operations.Register host privileges.

Procedure

  1. Browse to the virtual machine in the vSphere Client inventory.
  2. To create a clone of an encrypted machine, right-click the virtual machine, select Clone > Clone to Virtual Machine, and follow the prompts.
    1. On the Select a name and folder page, specify a name and the target location for the clone.
    2. On the Select a compute resource page, specify an object for which you have privileges.
    3. (Optional) Change the keys for the cloned vTPM.
      Figure 1. Select TPM Provision Policy
      This screen shot shows the choices for TPM provision policy when cloning a virtual machine that has a vTPM.
      Cloning a virtual machine duplicates the entire virtual machine, including the vTPM and its secrets, which can be used to determine a system’s identity. To change secrets on a vTPM, select Replace for TPM Provision Policy.
      Note: When you replace the secrets of a vTPM, all keys, including workload-related keys, are replaced. As a best practice, ensure that your workloads no longer use a vTPM before you replace the keys. Otherwise, the workloads in the cloned virtual machine might not function correctly.
    4. On the Select storage page, select a datastore. You can change the storage policy as part of the clone operation. For example, changing from using an encryption policy to a non-encryption policy decrypts the disks.
    5. On the Select clone options page, select clone options, as discussed in the vSphere Virtual Machine Administration documentation.
    6. On the Ready to complete page, review the information and click Finish.
  3. (Optional) Change the keys for the cloned virtual machine.
    By default, the cloned virtual machine is created with the same keys as its parent. Best practice is to change the keys of the cloned virtual machine to ensure that multiple virtual machines do not have the same keys.
    1. Decide upon a shallow or deep recrypt.
      To use a different DEK and KEK, perform a deep recrypt of the cloned virtual machine. To use a different KEK, perform a shallow recrypt of the cloned virtual machine. For a deep recrypt, you must power off the virtual machine. You can perform a shallow recrypt operation while the virtual machine is powered on, and if the virtual machine has snapshots present. Shallow recrypt of an encrypted virtual machine with snapshots is permitted only on a single snapshot branch (disk chain). Multiple snapshot branches are not supported. If the shallow recrypt fails before updating all links in the chain with the new KEK, you can still access the encrypted virtual machine if you have the old and new KEKs.
    2. Perform a recrypt of the clone using the API. See vSphere Web Services SDK Programming Guide.