vSphere Virtual Machine Encryption has some limitations regarding devices and features that it can interoperate with.
The following limitations and remarks refer to using vSphere Virtual Machine Encryption. For similar information about using vSAN encryption, see the Administering VMware vSAN documentation.
Limitations on Certain Encryption Tasks
Some restrictions apply when performing certain tasks on an encrypted virtual machine.
- For most virtual machine encrypted operations, you must power off the virtual machine. You can clone an encrypted virtual machine and you can perform a shallow recrypt while the virtual machine is powered on.
Note: Virtual machines configured with IDE controllers must be powered off to perform a shallow rekey operation.
- You cannot perform a deep recrypt on a virtual machine with snapshots. You can perform a shallow recrypt on a virtual machine with snapshots.
Virtual Trusted Platform Module Devices and vSphere Virtual Machine Encryption
A virtual Trusted Platform Module (vTPM) is a software-based representation of a physical Trusted Platform Module 2.0 chip. You can add a vTPM to either a new or an existing virtual machine. To add a vTPM to a virtual machine, you must configure a key provider in your vSphere environment. When you configure a vTPM, the virtual machine “home” files are encrypted (memory swap, NVRAM files, and so on). The disk files, or VMDK files, are not automatically encrypted. You can choose to add encryption explicitly for the virtual machine disks.
In vSphere 8.0 and later, when cloning a virtual machine that includes a vTPM, you can choose to start with a new, blank vTPM, which gets its own secrets and identity.
vSphere Virtual Machine Encryption and Suspended State and Snapshots
You can resume from a suspended state of an encrypted virtual machine, or revert to a memory snapshot of an encrypted machine. You can migrate an encrypted virtual machine with memory snapshot and suspended state between ESXi hosts.
vSphere Virtual Machine Encryption and IPv6
You can use vSphere Virtual Machine Encryption with pure IPv6 mode or in mixed mode. You can configure the key server with IPv6 addresses. You can configure both the vCenter Server and the key server with only IPv6 addresses.
Limitations on Cloning in vSphere Virtual Machine Encryption
-
Full clones are supported. The clone inherits the parent encryption state including keys. You can encrypt the full clone, re-encrypt the full clone to use new keys, or decrypt the full clone.
Linked clones are supported and the clone inherits the parent encryption state including keys. You cannot decrypt the linked clone or re-encrypt a linked clone with different keys.
Note: Verify that other applications support linked clones. For example, VMware Horizon ® 7 supports both full clones and instant clones, but not linked clones. - Instant clone is supported by all key provider types, but you cannot change encryption keys on clone.
- You can create a linked clone virtual machine from an encrypted virtual machine. The linked clone virtual machine contains the same keys. You can rekey the encrypted virtual machine “home” files of a linked clone, but you cannot rekey the disks.
Limitations with vSphere Native Key Provider
Certain operations are not supported with vSphere Native Key Provider.
- You cannot use vSphere Native Key Provider to encrypt virtual machines on a standalone host. The host must reside in a cluster to use vSphere Native Key Provider.
- You cannot move a host that contains virtual machines encrypted using vSphere Native Key Provider to a different cluster unless the target cluster contains the same vSphere Native Key Provider. (The encrypted virtual machines on the moved host become locked when the encryption keys are not present and the target cluster does not have the same vSphere Native Key Provider.)
- You cannot register a virtual machine encrypted by vSphere Native Key Provider to a legacy host because of the lack of support for vSphere Native Key Provider.
- You cannot register a virtual machine encrypted by vSphere Native Key Provider to a standalone host because of the requirements for the host to reside in a cluster.
Unsupported Disk Configurations with vSphere Virtual Machine Encryption
Certain types of virtual machine disk configurations are not supported with vSphere Virtual Machine Encryption.
- RDM (Raw Device Mapping). However, vSphere Virtual Volumes (vVols) are supported.
- Multi-writer or shared disks (MSCS, WSFC, or Oracle RAC). Encrypted virtual machine “home” files are supported for multi-writer disks. Encrypted virtual disks are not supported for multi-writer disks. If you attempt to select Multi-writer in the Edit Settings page of the virtual machine with encrypted virtual disks, the OK button is deactivated.
Miscellaneous Limitations in vSphere Virtual Machine Encryption
Other features that do not work with vSphere Virtual Machine Encryption include the following.
- vSphere ESXi Dump Collector
- Content Library
- Content libraries support two types of templates, the OVF Template type and the VM Template type. You cannot export an encrypted virtual machine to the OVF Template type. The OVF Tool does not support encrypted virtual machines. You can create encrypted VM templates using the VM Template type. In vSphere 8.0 and later, the ovftool command includes an option to add a vTPM placeholder to the OVF descriptor file. When deploying a virtual machine from such a template, vCenter Server creates a vTPM with unique secrets on the destination virtual machine. See the vSphere Virtual Machine Administration documentation.
- Software for backing up encrypted virtual disks must use the VMware vSphere Storage API - Data Protection (VADP) to either back up the disks in hot-add mode or NBD mode with SSL enabled. However, not all backup solutions that use VADP for virtual disk backup are supported. Check with your backup vendor for details.
- VADP SAN transport mode solutions are not supported for backing up encrypted virtual disks.
- VADP Hot-Add solutions are supported for encrypted virtual disks. The backup software must support encryption of the proxy VM that is used as part of the hot-add backup workflow. The vendor must have the privilege .
- Backup solutions using the NBD-SSL transport modes are supported for backing up encrypted virtual disks. The vendor application must have the privilege .
- You cannot send output from an encrypted virtual machine to a serial port or parallel port. Even if the configuration appears to succeed, output is sent to a file.
- vSphere Virtual Machine Encryption is not supported in VMware Cloud on AWS. See the Managing the VMware Cloud on AWS Data Center documentation.