Workflows for vSphere Virtual Machine Encryption The sections below present vSphere API methods for key acquisition and encryption. Set Up the Key Management Server ClusterBefore you can start encrypting virtual machines, you must set up the Key Management Server (KMS) cluster. This includes adding the KMS, establishing trust with the KMS, and setting the default KMS cluster. The KMS must support the KMIP (Key Management Interoperability Protocol) 1.1 standard, and it must be capable of acting as a symmetric key foundry and server. Create an Encryption Storage PolicyBefore any virtual machines can be encrypted, vCenter Server must contain an encryption storage policy. The policy only needs to be created once; it can be assigned to any virtual machines that you want to encrypt. Create an Encrypted Virtual MachineThe Web Services SDK provides Java and C# code to create a virtual machine. The Java code can be modified to create an encrypted virtual machine. Steps below show how to implement virtual machine encryption in the VMCreate.java sample program. The crypto property in VirtualMachineConfigSpec should be set to CryptoSpecEncrypt, and an encryption key provided. The storage profile must have been previously set to specify encryption. If the CryptoSpec is unset, but a storage profile with encryption is set, vCenter Server automatically generates new keys and sets CryptoSpec, if a default KMS has been configured. Clone an Encrypted Virtual MachineSet the crypto property in RelocateSpec at cloneSpec.location. The virtual machine must be powered off, with no existing snapshots. The encrypted virtual machine will be cloned, still encrypted. Encrypt an Existing Virtual Machine or DiskFirst set the crypto property in the VirtualMachineConfigSpec to CryptoSpecEncrypt and provide a key. The virtual machine must be powered off, with no existing snapshots. Decrypt an Encrypted Virtual Machine or DiskThis is similar to encrypting an existing virtual machine, but with a different CryptoSpec. First set the crypto property in the VirtualMachineConfigSpec to CryptoSpecDecrypt. The virtual machine must be powered off, and the storage profiles must be set not to specify encryption. Encrypt Using Different KeysThis method shows how to use two different keys to encrypt the virtual machine (VM home) and its disk. Recrypting Encrypted Virtual MachinesCurrently it is not possible to recrypt virtual machines using the vSphere Client. Only the vSphere API can accomplish this task. Query Crypto Key In-Use StatusSometimes it is useful to determine key status, for example whether a key is available on vCenter Server, which virtual machines and ESXi hosts are using it, and if third party applications reference it. Encrypted vSphere vMotionWhen virtual machines and data move across the network, all sensitive data remain encrypted. Virtual Disk ManagerThe following methods in managed object VirtualDiskManager are affected by encryption:Parent topic: Virtual Machine Encryption APIs