Recrypting Encrypted Virtual Machines

Currently it is not possible to recrypt virtual machines using the vSphere Client. Only the vSphere API can accomplish this task.

There are two kinds of recryption operations. Deep recrypt replaces all keys, rewriting encrypted data in a powered-off virtual machine and its disks. Shallow recrypt replaces only top-level keys and is comparatively fast.

For details on generating or retrieving the CryptoKeyId, see CryptoManager code in CryptoManager Java program to add KMS and set default cluster.