How to Encrypt an Existing or New Virtual Machine

What is an encrypted virtual machine

In VMware environment, the hypervisor encryption feature is first available in VMware vSphere 6.5. You can enable VM Encryption policy to create an encrypted virtual machine. For Hyper-V VM encryption, BitLocker is needed to encrypt virtual machines and disks.

Virtual machine with encryption feature is able to encrypt I/Os before data gets stored in the VMDK. An encrypted virtual machine makes sure someone does not have unauthorized access to your data.

Should you encrypt virtual machine in  VMware

Data security of virtual machines is very important for enterprises. An encrypted virtual machine protects the sensitive data and enhances business security. At the same time, virtual machines are very vulnerable when performing vMotion, any changes may cause the failure of vMotion operation. Encrypting virtual machines and virtual disks ensures the security of VM data while transferring.

In this article, I will demonstrate the procedures to encrypt virtual machine in VMware. You can encrypt virtual machines or virtual disks by changing a storage policy.

• Create a new encrypted virtual machine
• Encrypt an existing VM in VMware
• Efficient method to protect VM security

Prerequisites to encrypt VMware VM

Before creating an encrypted virtual machine, the following points are worth noting.

1. Ensure the virtual machine that needs be encrypted is powered off.

2. Create a VM encryption storage policy.

3. Establish a trusted connection with the KMS and select a default KMS.

4. Verify that you have the required privileges:

• Cryptographic operations. Encrypt new.
• If the host encryption mode is not Enabled, you also need Cryptographic operations. Register host.

How to encrypt VMware virtual machine

In this section, I will explain how to create a new encrypted virtual machine and how to encrypt an existing virtual machine with the hypervisor encryption feature in detail.

Create a new encrypted virtual machine

1. Navigate to the virtual machine in the vSphere Client inventory, and click New Virtual Machine.

2. Select Create a new virtual machine >> enter a new name for the VM >> select a location >> select the destination computer resource.

3. On the Select storage page, you should enable Encrypt this virtual machine. Then select VM Encryption Policy.

4. Select compatibility as ESXi 6.5 and later which allows you to migrate the encrypted virtual machine to the hosts with compatibility. Then select a guest OS that will be installed on the VM.

5. On Customize hardware page, configure the hardware such as CPU, memory……

Click VM Options >> Encryption. Specify the virtual disk to be encrypted or decrypted. You can also change the Encrypted vMotion setting to encrypt transferring process.

Or you can back to Virtual Hardware page to select ADD NEW DEVICE >> Hard Disk, then specify the VM storage policy for each disk.

6. Review the information, and click Finish.

After you have encrypted your virtual machines, you can access to Summary on the main screen to check if the virtual machine is encrypted successfully. Click Encryption to see VM configuration files are encrypted. Hard disk is encrypted.

Tips: An encrypted virtual machine may consist of encrypted disks or VM home files. But you cannot encrypt the virtual disk of an unencrypted virtual machine, which means if you want to encrypt a virtual disk, please encrypt this virtual machine first.

Encrypt an existing VM in VMware

1. Log in vSphere Client, and connect to vCenter Sever.

2. Right-click the virtual machine you want to encrypt, and select VM Policies >> Edit VM Storage Policies.

3. In VM storage policy, select VM Encryption Policy. Click OK.

Back to the main screen, you can monitor the process of reconfiguration of VM disks and VM home. If you only want to enable encryption feature for part of VM, please read the following steps.

4. Click Edit VM Storage Policy >> Configure per disk. Select Datastore Default for unencrypted disks. Click OK.

 Free method to protect VMware VM security

For businesses, data security is life. In general, you can't predict if you will lose your data in the next second. Power outages, natural disasters, virus software or careless human error can easily result in serious financial losses. 20 percent of companies who experienced data loss from outages said it cost them between $50,000 and $5 million. So, how to protect your important VM data is the point discussed in this part.

Here, I’d like to apply a free VMware backup software - AOMEI Cyber Backup to provide continuous protections for virtual machines. With this professional tool, you can get the following benefits.

Perpetual free: no time limit for AOMEI Cyber Backup Free Edition.
Support free ESXi: supports both paid and free versions of VMware ESXi.
Easy-to-use: backup and restore multiple virtual machines via central console without complicated configuration and reinstallation.
Automatically run backup tasks: It can auto backup virtual machines on regular basis to protect VMware workloads continuously.
Flexible backup strategies: It creates full backup for entire VM, or incremental/differential backup.
Instant Disaster Recovery: Once the VMware crashes, it can quickly restore VM to normal state and reduce business-critical downtime.

Please hit the button below to download and use AOMEI Cyber Backup for free:

*You can choose to install this VM backup software on either Windows or Linux system.

Steps to create a highly secure backup task for free:

1. Install AOMEI Cyber Backup and add vCenter or Standalone ESXi host as the source device. And then click Backup Task >> Create New Task.

2. Enter a name for backup task and select VMware ESXi Backup. Then select one or more virtual machines for backup.

3. Choose the backup Target  to place backup files. You can store the files to network or local destination.

3. Select backup method and specify the time to run the task automatically. It is flexible to choose time period as daily, weekly, monthly by date or monthly by week

4. Once your original VM corrupts, you can restore the entire VM to its normal status from any selected backup version. It saves your time to reinstall applications or configure multiple VMs.

✍ While the Free Edition covers most of the VM backup needs, you can also upgrade to Premium Edition to enjoy:
✦ Batch VM Backup: batch backup large numbers of VMs managed by vCenter Server or standalone ESXi hosts.
✦ Backup Cleanup: Configure retention policy to auto delete the old backup files and save storage space.
✦ Restore to new location: Easily make a clone of a virtual machine in the same or another datastore/host, without reinstalling or configuring a new VM.

Summary

An encrypted virtual machine enjoys a high degree of data privacy. This article includes the detailed steps to encrypt an existing VM and create a new encrypted virtual machine. In addition to encryption, you can also backup VMware to achieve efficient VM encryption.