Recrypt Only Key Encryption Keys

For shallow recrypt, which affects only the key encryption keys (KEKs), set the

crypto

property in the

VirtualMachineConfigSpec

CryptoSpecShallowRecrypt

and call the

Reconfigure

method.

Shallow Recrypt

void ShallowRecrypt() throws Exception {
    // Shallow recrypt follows the same flow as encrypt. The two differences are:
    // - Instead of using a new encryption profile, just get the previously
    //   applied profile from the virtual machine to be reconfigured and use it.
    // - The type of CryptoSpec object created is CryptoSpecShallowRecrypt()
    // Create CryptoSpec for shallow recrypt
    // Get Key Id from CryptoManager as newKeyId
    CryptoSpecShallowRecrypt cryptoSpec = new CryptoSpecShallowRecrypt();
    cryptoSpec.setNewKeyId(newKeyId);
    // Follow steps from Encrypt() 
}

Shallow recrypt can be done with the virtual machine powered on. Deep recrypt requires power off.

Recrypting Encrypted Virtual Machines

Content feedback and comments

VMware vSphere SDKs and Tools 6.7

Recrypt Only Key Encryption Keys