You can use the CLI to perform a shallow rekey of an encrypted virtual machine. You might perform a rekey of an encrypted virtual machine for business or compliance reasons.

A shallow key (also called recrypt) replaces only the Key Encryption Key (KEK). You do not need to power off the encrypted virtual machine to perform a shallow rekey. If you need to replace both the Disk Encryption Key (DEK) and the KEK, you must perform a deep rekey.

This task shows how to perform a shallow rekey on an encrypted virtual machine using the currently assigned key provider.

For more conceptual information, see How Do You Recrypt (Rekey) an Encrypted Virtual Machine.

Prerequisites

Required privilege: Cryptographic operations.Recrypt

Note: Virtual machines configured with IDE controllers must be powered off to perform a shallow rekey operation.

Procedure

  1. In a PowerCLI session, run the Connect-VIServer cmdlet to connect as an administrator to the vCenter Server host.
  2. Assign the current key provider to a variable. 
    $kp = Get-KeyProvider keyprovider_name
  3. Assign the encrypted virtual machine to a variable. 
    $vm = Get-VM encrypted_vm_name
  4. Check the security information for the encrypted virtual machine. 
    Get-SecurityInfo -Entity $vm

    Note the EncryptionKeyId.

  5. Perform the shallow rekey of the encrypted virtual machine. 
    Set-VM -vm $vm -KeyProvider $kp

    Type Y to confirm the rekey.

  6. To verify that the EncryptionKeyId is changed, check the security information for the encrypted virtual machine. 
    Get-SecurityInfo -Entity $vm