Configure Encrypted VMs in VMware vSphere 6.5

One of the new exciting features that was introduced with vSphere 6.5 is the encrypted VMs feature.  Security these days is on everyone’s mind and encryption provides a solution to many security concerns.  If someone gets a copy of the raw VMDKs of a sensitive VM,they can easily take those files by  mount it on their on VMware server and have access to the data. Those files are worthless without the encryption key provided by the encryption key server.  Also, the encrypted VMs feature allows for encrypted vMotion.

VMware vSphere 6.5 Configure Encrypted VMs

The first step in deploying Encrypted VMs is to point vCenter to a Key Management Server.  In your vCenter server inventory list, click Manage >> Key Management Servers >> Add Server.
encrypt01 VMware vSphere 6.5 Configure Encrypted VMs
Fill in the information for your cluster name, server alias, server address, and server port.
encrypt03 VMware vSphere 6.5 Configure Encrypted VMs
Once you click OK you will see a security dialog asking you to trust the certificate.
encrypt06 VMware vSphere 6.5 Configure Encrypted VMs
Once added, you should have green checkboxes next to the Certificate status.
encrypt07 VMware vSphere 6.5 Configure Encrypted VMs
Now under KM Servers we set a default cluster.
encrypt08 VMware vSphere 6.5 Configure Encrypted VMs

Creating an Encryption Storage Policy

The next step in the process is to setup an encryption storage policy.
encrypt09 VMware vSphere 6.5 Configure Encrypted VMs
Add a storage policy.
encrypt10 VMware vSphere 6.5 Configure Encrypted VMs
Name the policy.
.
encrypt11 VMware vSphere 6.5 Configure Encrypted VMs
Simply next through the next informational page.
encrypt12 VMware vSphere 6.5 Configure Encrypted VMs
Under common rules, click the Use common rules in the VM storage policy.  Then select to Add Component.  Then select the Encryption option from the dropdown, but don’t click next yet.
encrypt13 VMware vSphere 6.5 Configure Encrypted VMs
Under the Add Rule select the vmcrypt option.
encrypt14 VMware vSphere 6.5 Configure Encrypted VMs
Leave the Allow I/O filters before encryption set to false.
encrypt15 VMware vSphere 6.5 Configure Encrypted VMs
Uncheck the Use rule-sets in the storage policy.
encrypt16 VMware vSphere 6.5 Configure Encrypted VMs
The next screen shows the storage compatibility check.
encrypt17 VMware vSphere 6.5 Configure Encrypted VMs
Click Finish to create the encryption storage policy.
encrypt18 VMware vSphere 6.5 Configure Encrypted VMs
We can now see our EncryptionPolicy listed in the available VM storage policies.
encrypt19 VMware vSphere 6.5 Configure Encrypted VMs

Create an Encrypted VM

The last step is to actually create an encrypted VM.
encrypt20 VMware vSphere 6.5 Configure Encrypted VMs
Select the creation type
encrypt21 VMware vSphere 6.5 Configure Encrypted VMs
Select the name and folder.
encrypt22 VMware vSphere 6.5 Configure Encrypted VMs
Select a compute resource.
encrypt23 VMware vSphere 6.5 Configure Encrypted VMs
Here is where the new options come into play.  We can now select our Encryption Policy from the VM storage policy dropdown
encrypt24 VMware vSphere 6.5 Configure Encrypted VMs
Leave the compatible with setting set to ESXi 6.5 and later.
encrypt25 VMware vSphere 6.5 Configure Encrypted VMs
Select OS family and GOS version
encrypt26 VMware vSphere 6.5 Configure Encrypted VMs
When you expand the hard disk for the VM, notice how the VM storage policy shows the Encryption Policy.
encrypt27 VMware vSphere 6.5 Configure Encrypted VMs
Also, a really cool feature is Encrypted vMotion.  We can set the setting here to determine how the VM handles vMotion to another host.  There are three options here:
  • Disabled – Do not use encrypted vMotion
  • Opportunistic – Use encrypted vMotion if the destination host supports it, otherwise use normal vMotion
  • Required – The vMotion process with this VM must use encrypted vMotion.  If the vMotion operation doesn’t support encryption on the destination host, the vMotion operation will fail.

encrypt28 VMware vSphere 6.5 Configure Encrypted VMs

After the above configuration screen, simply hit Next and Finish at the Summary screen.