vSphere API Methods for Cryptographic Operations

Cryptographic operations are defined in the following hierarchy.

  • CryptoManager – managed object for handling cryptographic keys.

    CryptoManager defines the following methods:

    • void addKey(CryptoKeyPlain key) – add plain key to the vCenter Server.
    • CryptoKeyResult[] addKeys(CryptoKeyPlain[] keys) – add multiple plain keys to vCenter.
    • boolean enabled() – indicate if the encryption feature is enabled.
    • CryptoKeyId[] listKeys(int limit) – list keys.
    • void removeKey(CryptoKeyId key, boolean force) – remove a key (only its ID is needed).
    • CryptoKeyResult[] removeKeys(CryptoKeyId[] keys, boolean force) – multiple keys.
  • VirtualMachineConfigSpec – previously existing data object passed as parameter to CreateVM_Task and ReconfigVM_Task. One of its newly added properties is crypto, a CryptoSpec with one of the following options, which is inherited by all virtual disks and virtual machine configuration files (VM home).
    • CryptoSpecEncrypt – indicates that the virtual machine should be encrypted.
    • CryptoSpecDecrypt – indicates that the virtual machine should be decrypted.
    • CryptoSpecDeepRecrypt – indicates that all KEKs and DEKs should be replaced.
    • CryptoSpecShallowRecrypt – indicates that only KEKs should be replaced.
    • CryptoSpecNoOp – indicates that encryption settings should not be changed.
    • CryptoSpecRegister – indicates that the operation should send keys but should not modify the encryption settings of the virtual machine or virtual disk. When an encrypted disk is hot attached, the program must pass CryptoSpecRegister with the key ID that encrypted the disk. The key can be obtained from the Datastore Browser.

    These data objects are informational properties of VMConfigFileInfo and VMDiskFileInfo, respectively. They can be used to check whether the VM home and its virtual disks are encrypted.

    • VmConfigFileEncryptionInfo – the encryption information of a virtual machine configuration.
    • VmDiskFileEncryptionInfo – the encryption information of a virtual disk.

    The enumeration EncryptedVMotionModes controls whether encrypted vMotion is disabled, required, or opportunistic (fall back to unencrypted vMotion if necessary, the default option).

More information about the encryption interfaces is available in vSphere Management SDK Documentation under vSphere Web Services SDK, in the vSphere API Reference.