Encrypting VMs in vSphere 6.5

Being able to encrypt a VM is one of the great security related features in vSphere 6.5.

To test this out in your home / work lab, you will need access to a KMS, a service which dishes out encryption keys to vCenter. Getting your hands on one, will most likely be the only hurdle you need to overcome when setting up vCenter Server for VM encryption.

If you already have access to a KMS such as SafeNet, this bit is not for you. If not, read on.

Most posts I’ve been through omit the KMS setting up part, save for this one from William Lam, who has been kind enough to put together a docker container running pyKMIP, which is exactly what we need.

We also need somewhere to run the docker container on. To this effect, I’ll be using Photon, VMware’s propriety OS which is what vCSA 6.5 runs on.

  • So, first things first, download Photon. I got the Full ISO. Photon comes Docker ready, so you don’t have to install anything other than enable it.
  • Next, install Photon as a VM in say, Workstation Player, which is what I did. The VM settings are boxed in red. Installing Photon is pretty simple, so I won’t be going over it.


  • Next, log in as root and run the following commands including the ones from William’s post.
systemctl start docker
systemctl enable docker
docker version   (this is optional but it's good to make sure all's good)
docker pull lamw/vmwkmip
docker run --rm -it -p 5696:5696 lamw/vmwkmip


  • Fire up vSphere Web Client. Highlight the vCenter Server in Navigator and from the Configure tab, click on Key Management Servers followed by Add KMS. Type in a cluster name and alias, the IP address of the Photon VM and the network port. The latter should be set to 5696.


  • If all goes according to plan, you should see a number of connections being established and closed on the docker container running the KMS.


Big Disclaimer: Do not use this for production process. The encryption keys are lost when you switch off the Photon VM as vCenter Server only stores IDs to the keys and not the keys themselves. This KMS method must only be used for evaluation and testing purposes.

Encrypting a VM

To encrypt a VM is now just a matter of changing the applied storage policy to VM Encryption Policy. Storage policies are managed from Home -> VM Storage Policies. It’s best to clone the existing one before you make changes.

Refer to this for the full details.

To encrypt an individual VM, right-click on the name and select Edit VM Storage Policies. You can then choose to encrypt the VM folder and/or the VM’s disks (VMDKs).


The VM must be powered off and also be aware that the encryption process might take quite a while especially if you chose to encrypt large VMDKs.

Once the process finishes, you should see the VM / disk marked as encrypted.



In the near future I’ll be covering the process in more detail perhaps in one or more posts on the Altaro VMware blog, so make sure to be on the lookout for new posts.