Quick Tip: Virtual Disk Encryption in vSphere 6.5
Knowing the difference between virtual disk encryption and virtual machine encryption can save you some heartburn.
Like some competing hypervisors, vSphere allows virtual hard disks to be encrypted. One of the most important things to understand about encryption in vSphere 6.5 is that virtual disk encryption and virtual machine encryption are not the same thing. It is possible for example, to create an encrypted virtual machine (VM) that uses unencrypted virtual disks (not that you would probably ever want to do that). Conversely however, you cannot add an encrypted disk to an unencrypted VM.
Encryption is dictated by a VM's storage policy. The rules governing encryption are relatively straightforward, but it still helps to be familiar with the various use cases in order to avoid surprises.
As you would probably expect, if you add virtual disks to an encrypted virtual machine as a part of the VM creation process, then both the disks and the VM itself are encrypted. Likewise, if you were to encrypt an existing VM, then the attached virtual disks are also encrypted. This occurs because encrypting a VM modifies the VM's storage policy. It is possible however, to associate an alternate storage policy with the virtual disks.
So what happens if you add an existing unencrypted disk to an encrypted VM? If you simply attempt to add the virtual disk without doing anything else, the operation will fail. Remember, it is the storage policy that controls encryption. Therefore, if you want to add an unencrypted disk to an encrypted VM, you will have to add the disk to the default storage policy before adding the disk to the VM. If your goal is to leave the disk unencrypted, you can select a different storage policy for the disk after it's been added.
What if you want to add a disk to an encrypted VM whose storage policy doesn't use encryption? This is where things might not behave quite the way that you would expect. When you add the disk to the VM, the disk will use the default storage policy. You will have to select your preferred storage policy after the disk has been added.
As you can see, the relationship between encrypted VMs and encrypted disks is relatively straightforward. Even so, there are a couple of situations in which virtual disk encryption might not be handled in the way you might expect.
Brien Posey is a 19-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.