vSphere Storage

VM Encryption using SPBM Policies

SPBM Host-based Rules: VM Encryption

Continuing the SPBM series, in this episode, we are going to focus on the host-based rule: VM Encryption.

With the release of vSphere 6.5, you can utilize virtual machine encryption protecting your VM, disks, and files. Because VM Encryption uses SPBM polices, you may now encrypt individual VMs or disks as needed. This allows the flexibility of granular encryption without the need to encrypt an entire datastore.  To further ensure security there are specific encryption privileges, Cryptographic Operations, and only administrators granted this privilege may perform encryptions and decryption tasks. This allows non-privileged VIadmins to continue performing day to day tasks.

What exactly is encrypted? VM Encryption supports virtual machine files, virtual disk files, and core dump files. This includes NVRAM, VSWP, and VMSN files as well as the VM’s VMDKs. Data in an encrypted virtual disk (VMDK) file is never written in cleartext to storage or physical disk and is never transmitted over the network in cleartext.

All encryption keys are managed via an external Key Management Server or KMS. There are several KMS vendors available, to find a compatible vendor, please use the VMware compatibility guide here.

vSphere Virtual Encryption Architecture

To enable VM encryption, you must setup an external KMS. The KMS, along with vCenter and the ESXi hosts, manage the encryption solution. A trust between a KMS and vCenter server must be completed to be able to utilize SPBM VM encryption. As there are several KMS vendors we won’t go into detail on setting up the KMS itself.

Policy Creation

Once the KMS is setup, you may now create a Storage Policy for VM Encryption. When creating the new SPBM policy, you will “Enable host based rules”. Now you select the radio button “Use storage policy component“ and from the dropdown select “Default encryption properties, in most cases, you will choose this option. The custom option allows you to enable I/O filters before encryption. If this option is chosen, those filters can see cleartext data before encryption. The rest is a review of the policy and setting.

Host Encryption Mode

Before you can use the new policy, you must enable “Host Encryption Mode” on all of the hosts in the cluster. This setting is under the Configure tab in the Security Profile. There you can edit the Host Encryption Mode and enable the host to accept keys from the KMS server.  If you want to Disable Encryption Mode, you must remove the host from vCenter, reboot and then add it back to vCenter.

Below is a short video showing the process for setting up and enabling VM Encryption. The steps in the video are only possible after you have successfully added and enabled a KMS server to your vCenter.






  1. Using Tag-based SPBM Policies to Manage Your Storage
  2. Storage Capabilities and Services
  3. Data Services SPBM Policies


Twitter: @jbmassae


Leave a Reply

Your email address will not be published.