A new feature introduced in vSphere 6.5 is the encryption of VMs, which secures the VMDK virtual disks (also .vmx and swap files are encrypted), making the stored data unreadable.

To get the benefits of encryption, you need to connect vCenter Server to a Key Management Server (KMS) that provides the necessary keys to encrypt and decrypt VMs using the Key Management Interoperability Protocol (KMIP) protocol. To establish the connection between KMS and vCenter Server, the KMS performs a certificate exchange.

The components required to allow VM encryption features are the following:

• KMS: Generates and stores the keys passed to the vCenter Server to encrypt and decrypt the VMs.
• vCenter Server: This is the only component that can log in to the KMS to obtain the keys and push them to ESXi hosts. KMS keys are not stored in vCenter Server, which keeps a list of key IDs only. 

A KMS cluster configured in vCenter Server requires that all KMS instances added to the cluster are from the same vendor and must replicate keys. If you use different vendors in different environments, you can create a KMS cluster for each KMS specifying the default cluster. The first cluster added becomes the default cluster.

Be sure to use only a certified KMS provider. Some KMS providers are as follows:

• HyTrust KeyControl: https://www.hytrust.com/
• IBM Security Key Lifecycle Manager: http://www-03.ibm.com/software/products/en/key-lifecycle-manager
• Thales Vormetric Data Security Manager: https://www.thalesesecurity.it/products/data-encryption/vormetric-data-security-manager
• Gemalto SafeNet KeySecure: https://safenet.gemalto.com/data-encryption/enterprise-key-management/key-secure/

You can have a look at HCL for certified KMS providers at https://www.vmware.com/resources/compatibility/search.php?deviceCategory=kms.

Access to the encrypted virtual disk requires the correct key owned only by the VM that manages the virtual disk. An unauthorized VM that tries to access the encrypted VMDK without the correct key will receive only meaningless data. No additional hardware is required for the encryption/decryption operation, and performance is improved if the processor used supports the AES-NI instruction set, because encryption is CPU-intensive. AES-NI should be enabled in your BIOS, and the VM needs to be powered off before proceeding.

To encrypt VMs, you first need to configure a KMS in vCenter Server:

1. From the vSphere Web Client, select vCenter Server in the inventory and select the Configure tab. Expand More and select Key Management Servers to access the KMS management section.
2. Click the Add KMS icon to add the KMS server (you must have one in your network). Specify the required parameters and click OK to save the configuration:

3. Once the KMS server is successfully added to vCenter Server, the Connection Status column is displayed as Normal. Once you have configured the KMS server, you can start encrypting VMs:

Change the storage policy of a VM by following this procedure:

1. From the vSphere Client, access vCenter Server, and right-click the VM to encrypt. Select VM Policies | Edit VM Storage Policies.
2. From the VM storage policy drop-down menu, select the VM Encryption Policy option to encrypt the VM and click OK:

3. When the encryption process has completed, the VM hardware area in the VMs Summary tab displays the Encryption field which indicates which components are encrypted.

Here are some recommendations for using encrypted VMs:

• PSC and vCenter Server VMs should not be encrypted.
• The support bundle used to decrypt a core dump is generated using the ESXi host key. If the host is rebooted, the host key may change, and the support bundle can no longer be generated with a password and you might not be able to decrypt core dumps located in the support bundle as well. For this reason, if the host crashes, you should retrieve the support bundle as soon as possible.
• Since .vmx files and .vmdk descriptor files contain the support bundle, you should not edit these files; otherwise, the VM becomes unrecoverable.

Encryption and decryption of a VM can also be performed using PowerCLI:

• To encrypt a VM, run the following command:

Get-VM -Name <vmname> | Enable VM encryption

• To decrypt a VM, use the following command:

Get-VM -Name <vmname> | Disable VM encryption

Encrypted VMs can be a potential challenge for native backup programs, but there is a way to permit backup of those encrypted files in a clear format, to permit indexing and granular restore. Several backup products already support this feature.

Also, you have to consider the following caveats:

• vSphere FT, vSphere Replication, and content library do not work with VM encryption.
• Snapshot operations have some limitations; for example, you cannot select a snapshot of the VM's memory checkbox.
• Cloning an encrypted VM or performing a storage vMotion operation and changing the disk format may not work. 
• You cannot encrypt a VM and its disks by using the Edit Settings... menu. You have to use the storage policy.
• When you detach a disk from a VM, the storage policy information for the virtual disk is not retained.
• OVF export is not supported on an encrypted VM.
• You can use vSphere VM encryption with IPv6 in mixed mode, but not in a pure IPv6 environment.

• The vCenter Server becomes more critical; only vCenter Server has credentials for logging in to the KMS. Your ESXi hosts do not have those credentials. vCenter Server obtains keys from the KMS and pushes them to the ESXi hosts.