vSphere 6.5 Introduces New VM Encryption Features

Written by Joe Kozlowicz on Thursday, December 15th 2016

Encrypting virtual machines within the VMware hypervisor platform has been possible for some time, but can be tricky and it often impacts performance. Often the best solution is to encrypt at the storage level, as VMware does not always support OS-level encryption, either.

That may be changing as the latest version of vSphere includes VM encryption that is simple to implement as a policy. Read on to learn what’s new with this method, how it simplifies administration, and how you can implement it within vSphere 6.5.

vSphere 6.5 encryption

 What’s New with vSphere 6.5 Virtual Machine Encryption

VMware has stated that their goals with new encryption features are to minimize the steps needed for administrators, and to that end encryption at the VM level is meant to be simple. It happens as a policy and is applied at the hypervisor level. As operations move from the virtual disk to the virtual machine, the kernel encrypts them immediately before they travel to the kernel storage.

One advantage of this is that the same encryption can be used for any VM, regardless of OS, application, or datastore. Another is that the encryption is not managed on a per-VM basis, so administrators don’t need to monitor the encryption on each VM. Keys are not stored within VM memory.

The encryption methods used are KMIP 1.1 for key management, with your choice of a variety of key managers, and AES-NI for encryption.

Another new feature is encrypted vMotion, which you can configure to encrypt VMs as they are migrated to and from other hosts.


Adding Encryption to a VM in vSphere 6.5

To start off with an encrypted VM, you’ll need to create a Key Management Server. From the vCenter server inventory, choose the Manage tab, then Key Management Servers from the tabs beneath. Click Add Server.

Choose a name for your cluster and server alias. Then set the server address and port. Click OK and then click Trust to accept the certificate. The server will then appear in the Manage section of vCenter server inventory, with a certificate expiration date and a green checkbox indicating function is normal. Select this new server, and click Set Cluster as Default (next to Add Server).

Next, you’ll need to configure a storage policy. Under Policies and Profiles on the main left navigation, select VM Storage Policies. Click the button to add a storage policy and name it accordingly. Click past the information page, and then select Use Common Rules in the VM Storage Policy. Add a Component and choose Encryption from the drop down menu. Then click Add Rule and choose vmcrypt. Click next.

Deselect the option to Use Rule Sets in the Storage Policy. Click next. vSphere will then examine your storage to ensure compatibility. Assuming all is well, click next for a summary, and then Finish to complete your new encrypted storage policy.

When creating a new VM, you can add this storage policy in step 2c, Select Storage. Choose the new policy under the VM storage policy menu. On the compatibility page, which is next, leave compatibility as ESXi 6.5 or later.

Under Customize Hardware, you’ll see the new policy listed under New Hard Disk. When you choose the VM options tab, you can set the new Encrypted vMotion options. Your options are Disabled, Opportunistic (which will only use encryption if the destination supports it), or Required (which will not migrate the VM if the host does not support encrypted vMotion).

If you are adding encryption to an already running VM, simply select it (or several VMs), click All vCenter Actions, then VM Policies, and Edit VM Policies. Choose your new storage policy from the list.


That’s it! Pretty simple to configure, no? It should be relatively easy to retroactively add encryption to your existing VMs, too. Keep in mind that while hypervisor-level encryption is a great security feature, it should also remain just one piece of your security arsenal.