Quick Tip: Virtual Disk Encryption in vSphere 6.5
Knowing the difference between virtual disk encryption and virtual machine encryption can save you some heartburn.
Like some competing hypervisors, vSphere allows virtual hard disks to be encrypted. One of the most important things to understand about encryption in vSphere 6.5 is that virtual disk encryption and virtual machine encryption are not the same thing. It is possible for example, to create an encrypted virtual machine (VM) that uses unencrypted virtual disks (not that you would probably ever want to do that). Conversely however, you cannot add an encrypted disk to an unencrypted VM.
Encryption is dictated by a VM's storage policy. The rules governing encryption are relatively straightforward, but it still helps to be familiar with the various use cases in order to avoid surprises.
As you would probably expect, if you add virtual disks to an encrypted virtual machine as a part of the VM creation process, then both the disks and the VM itself are encrypted. Likewise, if you were to encrypt an existing VM, then the attached virtual disks are also encrypted. This occurs because encrypting a VM modifies the VM's storage policy. It is possible however, to associate an alternate storage policy with the virtual disks.
So what happens if you add an existing unencrypted disk to an encrypted VM? If you simply attempt to add the virtual disk without doing anything else, the operation will fail. Remember, it is the storage policy that controls encryption. Therefore, if you want to add an unencrypted disk to an encrypted VM, you will have to add the disk to the default storage policy before adding the disk to the VM. If your goal is to leave the disk unencrypted, you can select a different storage policy for the disk after it's been added.
What if you want to add a disk to an encrypted VM whose storage policy doesn't use encryption? This is where things might not behave quite the way that you would expect. When you add the disk to the VM, the disk will use the default storage policy. You will have to select your preferred storage policy after the disk has been added.
As you can see, the relationship between encrypted VMs and encrypted disks is relatively straightforward. Even so, there are a couple of situations in which virtual disk encryption might not be handled in the way you might expect.
Brien Posey is a seven time Microsoft MVP with over two decades of IT experience. As a freelance writer, Posey has written many thousands of articles and written or contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. When He isn't busy writing, Brien Posey enjoys exotic travel, scuba diving, and racing his Cigarette boat. You can visit his personal Web site at: www.brienposey.com.