VMware: Creating a Storage Encryption Policy

KB ID 0001471

Problem

This is essentially part-two of deploying encrypted virtual machines, in a vSphere VMware (6.5 and above) environment. Back in part-one we deployed a KMS server and registered it with vCenter. Now we will create a storage policy that enforces encryption, then apply that policy to a virtual machine.

Solution

While logged into vCenter > Home > Policies and Profiles > VM Storage Policies > Create VM Storage Policy > Give it a name > Next.

VMware Storage encryption policy

Next.

Create New Policy Structure VMware

Add > Encryption. Note: On some versions of vCenter, Select Encryption > Custom.

Add VMware Encryption

Accept the defaults > Next.

Encrpytion Policy Settings VMware

Untick “Use rule-sets in the storage policy” > Next.

Storage Policy Rule Set

This just shows you which ‘Datastores‘ are compatible, (it’s not going to encrypt them, or format them, or anything!) > Next

Compatible Encryption datastores

Finish.

Encrypt a VM in vSphere

Apply an Encryption Storage Policy to a VM

There are a couple of ways to do this. Before you start, make sure the VM is in a compatible Datastore >  Right click the (powered off) VM > VM Polices > Edit VM Storage Policies > Select VM Home (to encrypt the entire VM), or the individual disks (to encrypt them only) > Change the policy to the encrypted one you just created > OK.

How To encrypt a VM in VMware

Or to encrypt the drives manually > Right Click the VM > Edit Settings > Expand the hard drive > VM Storage Policy > Change the policy to the one you created above. (Note: this only encrypts the drives, NOT the entire VM).

How to Encrypt a VMs Hard Drive

Check Virtual Machine Encryption

If a VM is encrypted then it will tell you on its ‘Virtual Hardware‘ tab, you will also notice that encrypted drives have a small ‘padlock’ over them.

ESX Check a VM is encrypted

Additionally: Under VM Options, you will notice that Encrypted vMotion is now set to ‘Required‘.

vMotion encrpyption

You can also tell at a glance from the virtual machines ‘Summary tab‘.

Check a VM is Encrpyted

Things You Need To Know About Encrypted Virtual Machines

  • To encrypt a VM it must be Powered off.

Cannot Encrypt Powered on

The attempted operation cannot be performed in the current state (“Powered On”).

  • To encrypt an VM it must have No Snapshots.

Encryption VM Snapshots

Invalid virtual machine configuration.
Cannot change encryption state with virtual machine snapshots present.

  • Fault Tolerance is Not Supported.

Encrypted VM Fault tolerance

Unsupported virtual machine configuration for Fault Tolerance

  • vSphere replication is Not Supported.
  • Cloning Is Supported, but the cloned VM has the same encryption keys as the source.
  • Snapshots Are Supported, but, you will see the following error if you attempt to snapshot of an encrypted VM.

the virtual machine is encrypted snapshot error

The virtual machine is encrypted and guest memory cannot be saved.

You need to ‘untick’, Snapshot the virtual machine memory.

Snapshot encrypted VM

  • You cant ‘Suspend‘ an encrypted virtual machine.

Cannont suspend an Encrypted VM

The virtual machine is encrypted and cannot be suspended. Failed to suspend the virtual machine. Incorrect virtual machine state.

  • You cannot export an encrypted virtual machine to OVF file.

Cannot Export Encrypted VM to OVA

Provider method implementation threw unexpected exception: %s VapiStructureProxy.cause
The operation failed due to the operation is not supported on the object

Related Articles, References, Credits, or External Links

NA

Author: PeteLong

Share This Post On

2 Comments

  1. Say after 3 years you decide to change another KMS provider, with the encrypted VM, how are we suppose to move the config so it recognize the new KMS cluster?

    Post a Reply
    • I’ve never done this, but I don’t see why you cant swap a KMS server out? It only checks the keys when you power on a VM.

      Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *