VMware has introduced virtual machine (VM) Encryption in vSphere 6.5. The main purpose of VM Encryption is to secure data within VM disks (VMDKs) and ensure that only authorized users can access the data on the disks after mounting them.

This feature will encrypt the VM configuration file (VMX), the swap files of the VM, and the VMDK file. This means it will encrypt live memory content and data. As I/O comes out of the VM's virtual disk controller, a module in the kernel of an ESXi host immediately encrypts it before sending it to the kernel storage layer.

VM Encryption in vSphere 6.5: How does it work?

Before you can use vSphere VM Encryption to perform encryption operations, you must connect your vCenter Server to a key management server (KMS).

Through the vSphere client, right-click vCenter server > Settings > Configure tab > Key management servers > Add KMS.

Adding a new KMS

Adding a new KMS

VMware provides and supports many different KMSes. You might want to check this VMware knowledge base (KB) article detailing the setup: Connect a vCenter Server System to a Key Management Server (KMS). Note that VM keys do not persist in vCenter.

vSphere VM Encryption: The three main components

  • External KMS: a separate VM (or physical machine) that distributes keys.
  • vCenter server: requests keys from the KMS and distributes those keys as needed to ESXi hosts.
  • ESXi host: pushes the key encryption keys (KEKs) to the host from the vCenter server. The host uses the KEKs to generate the data encryption keys (DEKs), which it then uses for encrypting and decrypting VM files. It uses KEKs to encrypt the DEKs and stores these encrypted DEKs in configuration files.
VM Encryption components (image courtesy of VMware)

VM Encryption components (image courtesy of VMware)

Where to manage the encryption?

You need to apply the policy to the VM. So select your VM and go to Configure > Policies > Edit VM Storage Policies.

VM Encryption policy applied to a VM level

VM Encryption policy applied to a VM level

After validating the selection, vSphere will encrypt the VM.

vMotion encryption

It is possible to use the new vMotion encryption side by side with VM disk encryption. So even during the vMotion process, this will secure and protect your data against sniffing or man-in-the-middle attacks.

The vMotion encryption feature secures confidentiality, integrity, and authenticity of data transferred with vMotion. Encrypted Motion supports all variants of Motion for unencrypted VMs, with migration support across vCenter server systems. However, VMware does not support migration across vCenter server systems for encrypted VMs.

VM Storage policies

VM Storage policies

Through the VM hardware option in the vSphere client, simply select a VM and then go to Edit settings > VM Options > Encryption.

You can also apply vMotion encryption on per-VM level. When migrating a VM using vMotion, vCenter server generates a random 256-bit key (yet uses no KMS for this process).

As you can see in the screenshot below, there are three options to choose from depending on whether the destination host supports encryption or not:

VMware vMotion encryption options

VMware vMotion encryption options

For each option, VMware VM Encryption checks the source, the destination ESXi host, the version of ESXi running, and whether it supports encryption. If this isn't the case, it does not execute the vMotion operation.

These are the three options you can set:

  • Disabled: don't use encrypted vMotion.
  • Opportunistic: use when the source and destination hosts support encryption.
  • Required: encrypted vMotion only. If the source or destination host does not support encrypted vMotion, migration with vMotion fails.

For the Required option, vMotion encryption is always set to it for encrypted VMs, though unencrypted VMs can optionally use it too.

When you encrypt a VM, it keeps a record of the current encrypted vSphere vMotion setting. If you later disable encryption for the virtual machine, the encrypted vMotion setting stays as Required until you change the setting explicitly.

You can enable or disable encrypted vMotion in the VM's settings.

No cryptography administrator role

You can assign a No cryptography administrator role to vCenter server users who do not need cryptographic operation privileges. This is to avoid situations where several enterprise administrators work in a team, and you do not want to assign them the cryptographic operations privilege.

So in this case you would simply give them a No cryptography administrator role, which would still allow them to manage all vSphere infrastructures. To set this role, go to Administration > Global Permissions > Manage > pick a user > Edit.

Subscribe to 4sysops newsletter!

No cryptography administrator role

No cryptography administrator role


VM Encryption and vMotion encryption are additional steps forward for securing VMware infrastructures. VM Encryption adds a little CPU overhead, true. But compared to what it offers, it is a small price to pay.

  1. Michal 3 years ago

    Hi Vladan,

    great article. I'm currently setting this up for our team that manages domain controller servers. I'm curious, is there a way to create an email alert for when a VM is decrypted? I couldn't figure it our on my own. I created an alert that sends an email when a VM is reconfigured, which is quite ok, but not specifically focusing on encrypt/decrypt operations …in this case I would receive emails even if someone just modifies RAM or CPU settings… I would like to narrow it down to the cryptographic activities.

    Thanks in advance…
    Kind regards…

  2. Mayank 2 months ago

    Have you observed hight disk Utilization during encryption ?

    In my case I had server of 450GB post encryption this is showing 2TB used size

Leave a reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account