You can encrypt an existing virtual machine or virtual disk by changing its storage policy. You can encrypt virtual disks only for encrypted virtual machines.

Prerequisites

  • Establish a trusted connection with the KMS and select a default KMS.
  • Create an encryption storage policy, or use the bundled sample, VM Encryption Policy.
  • Ensure that the virtual machine is powered off.
  • Verify that you have the required privileges:
    • Cryptographic operations.Encrypt new
    • If the host encryption mode is not Enabled, you also need Cryptographic operations.Register host.

Procedure

  1. Connect to vCenter Server by using the vSphere Client.
  2. Right-click the virtual machine that you want to change and select VM Policies > Edit VM Storage Policies.
    You can set the storage policy for the virtual machine files, represented by VM home, and the storage policy for virtual disks.
  3. Select the storage policy.
    • To encrypt the VM and its hard disks, select an encryption storage policy and click OK.
    • To encrypt the VM but not the virtual disks, toggle on Configure per disk, select the encryption storage policy for VM Home and other storage policies for the virtual disks, and click OK.
    You cannot encrypt the virtual disk of an unencrypted virtual machine. However, if you use the vSphere Client to encrypt the VM Home files, you can then reconfigure the unencrypted virtual machine with the encrypted disk.
  4. If you prefer, you can encrypt the virtual machine, or both virtual machine and disks, from the Edit Settings menu in the vSphere Client.
    1. Right-click the virtual machine and select Edit Settings.
    2. Select the VM Options tab, and open Encryption. Choose an encryption policy. If you deselect all disks, only the VM home is encrypted.
    3. Click OK.