By Crystal / Last Updated April 25, 2022

What is an encrypted virtual machine

In VMware environment, the hypervisor encryption feature is first available in VMware vSphere 6.5. You can enable VM Encryption policy to create an encrypted virtual machine. For Hyper-V VM encryption, BitLocker is needed to encrypt virtual machines and disks.

Virtual machine with encryption feature is able to encrypt I/Os before data gets stored in the VMDK. An encrypted virtual machine makes sure someone does not have unauthorized access to your data.

Should you encrypt virtual machine

Data security of virtual machines is very important for enterprises. An encrypted virtual machine protects the sensitive data and enhances business security. At the same time, virtual machines are very vulnerable when performing vMotion, any changes may cause the failure of vMotion operation. Encrypting virtual machines and virtual disks ensures the security of VM data while transferring.

In this article, I will demonstrate the procedures to encrypt virtual machines in VMware. You can encrypt virtual machines or virtual disks by changing a storage policy.


Encrypt VMware

Prerequisites to encrypt VMware VM

Before creating an encrypted virtual machine, the following points are worth noting.

1. Ensure the virtual machine that needs be encrypted is powered off.

2. Create a VM encryption storage policy.

3. Establish a trusted connection with the KMS and select a default KMS.

4. Verify that you have the required privileges:

  • Cryptographic operations. Encrypt new.
  • If the host encryption mode is not Enabled, you also need Cryptographic operations. Register host.

How to encrypt VMware virtual machine

In this section, I will explain how to create a new encrypted virtual machine and how to encrypt an existing virtual machine with the hypervisor encryption feature in detail.

Create a new encrypted virtual machine

1. Navigate to the virtual machine in the vSphere Client inventory, and click New Virtual Machine.

2. Select Create a new virtual machine >> enter a new name for the VM >> select a location >> select the destination computer resource.

3. On the Select storage page, you should enable Encrypt this virtual machine. Then select VM Encryption Policy.

VM encryption policy

4. Select compatibility as ESXi 6.5 and later which allows you to migrate the encrypted virtual machine to the hosts with compatibility. Then select a guest OS that will be installed on the VM.

5. On Customize hardware page, configure the hardware such as CPU, memory……

Click VM Options >> Encryption. Specify the virtual disk to be encrypted or decrypted. You can also change the Encrypted vMotion setting to encrypt transferring process.

create a new encrypted vm

Or you can back to Virtual Hardware page to select ADD NEW DEVICE >> Hard Disk, then specify the VM storage policy for each disk.

encrypt disk

6. Review the information, and click Finish.

After you have encrypted your virtual machines, you can access to Summary on the main screen to check if the virtual machine is encrypted successfully. Click Encryption to see VM configuration files are encrypted. Hard disk is encrypted.

Tips: An encrypted virtual machine may consist of encrypted disks or VM home files. But you cannot encrypt the virtual disk of an unencrypted virtual machine, which means if you want to encrypt a virtual disk, please encrypt this virtual machine first.

Encrypt an existing VM in VMware

1. Log in vSphere Client, and connect to vCenter Sever.

2. Right-click the virtual machine you want to encrypt, and select VM Policies >> Edit VM Storage Policies.

3. In VM storage policy, select VM Encryption Policy. Click OK.

edit storage policy

Back to the main screen, you can monitor the process of reconfiguration of VM disks and VM home. If you only want to enable encryption feature for part of VM, please read the following steps.

4. Click Edit VM Storage Policy >> Configure per disk. Select Datastore Default for unencrypted disks. Click OK.

encrypt an existing vm

Efficient method to protect VM security

For businesses, data security is life. In general, you can't predict if you will lose your data in the next second. Power outages, natural disasters, virus software or careless human error can easily result in serious financial losses. 20 percent of companies who experienced data loss from outages said it cost them between $50,000 and $5 million. So how to protect your important VM data is the point discussed in this part.

Here, I’d like to apply AOMEI Cyber Backup to provide continuous protections for virtual machines. With this professional tool, you can get the following benefits.

Automatically run backup tasks: It can auto backup virtual machines on regular basis to protect VMware workloads continuously.
dddFlexible backup strategies: It creates full backup for entire VM, or incremental/differential backup.
Instant Disaster Recovery: Once the VMware crashes, it can quickly restore VM to normal state and reduce business-critical downtime.

Download Free TrialVMware ESXi 6.0 & later versions
Secure Download

Steps to create a highly secure backup task

1. Install AOMEI Cyber Backup and click Backup Task >> Create New Task.

create ESXi backup

2. Enter a name for backup task and select VMware ESXi Backup. Then select one or more virtual machines for backup.

select virtual machine

3. Choose the backup Target  to place backup files. You can store the files to network or local destination.

backup VM to network

3. Select backup method and specify the time to run the task automatically. It is flexible to choose time period as daily, weekly, monthly by date or monthly by week

schedule backup

4. Configure Backup Cleanup to choose retention policy for each backup that will delete the unwanted files automatically.

delete backups

5. Once your original VM corrupts, you can click Restore to return the whole virtual machine to normal statue or to another host securely. It saves your time to reintall applications or configure multiple VMs.

restore ESXi VM


An encrypted virtual machine enjoys a high degree of data privacy. This article includes the detailed steps to encrypt an existing VM and create a new encrypted VM. In addition to the built-in features for VM protection, you can try a third-party tool to achieve efficient VM encryption.