Recrypt (Rekey) Encrypted Virtual Machines

You can recrypt virtual machines using either the vSphere API or the vSphere Client (as of 7.0.x). In the vSphere Security manual, recrypt is usually called rekey, or sometimes re-encrypt.

There are two kinds of recryption operations. Deep recrypt replaces all keys, rewriting encrypted data in a powered-off virtual machine and its disks. Shallow recrypt replaces only top-level keys and is comparatively fast.

For details on generating or retrieving the CryptoKeyId, see CryptoManager code in CryptoManager Java program to add KMS and set default cluster.