Host Encryption Mode

You can encrypt virtual machines only if host encryption mode is enabled for the ESXi host. Host encryption mode is often enabled automatically, but it can be enabled explicitly.
You can check and explicitly set the current host encryption mode from the vSphere Client or by using the vSphere API; see API Methods to Prepare an ESXi Host.
After host encryption mode is enabled, it cannot be disabled easily. See the
vSphere Security
guide for details.
Automatic changes occur when encryption operations attempt to enable host encryption mode. For example, suppose that you add an encrypted virtual machine to an ESXi host, and host encryption mode is not enabled. If you have the required privileges on the host, encryption mode automatically changes to enabled.
Assume a cluster that includes three ESXi hosts, host A, B, and C. You add an encrypted virtual machine to host A. What happens depends on several factors. If all three hosts have encryption enabled, you can create an encrypted virtual machine if you have
Encrypt new
privileges. If none of the hosts has encryption enabled, and you have
Register host
privileges on host A, then the virtual machine creation process enables host encryption on that host; otherwise an error results. The scenario is more complicated if host B or C is not enabled for encryption; see the
vSphere Security
guide for details.