Host Encryption
Mode
You can encrypt
virtual machines only if host encryption mode is enabled for the ESXi host.
Host encryption mode is often enabled automatically, but it can be enabled
explicitly.
You can check and explicitly set the current host
encryption mode from the vSphere Client or by using the vSphere API; see
API Methods to Prepare an ESXi Host.
After host encryption mode is enabled, it cannot
be disabled easily. See the
vSphere Security
guide for details.
Automatic changes occur when encryption operations
attempt to enable host encryption mode. For example, suppose that you add an
encrypted virtual machine to an ESXi host, and host encryption mode is not
enabled. If you have the required privileges on the host, encryption mode
automatically changes to enabled.
Assume a cluster that includes three ESXi hosts,
host A, B, and C. You add an encrypted virtual machine to host A. What happens
depends on several factors. If all three hosts have encryption enabled, you can
create an encrypted virtual machine if you have
Encrypt new
privileges. If none of the hosts has
encryption enabled, and you have
Register host
privileges on host A, then the virtual
machine creation process enables host encryption on that host; otherwise an
error results. The scenario is more complicated if host B or C is not enabled
for encryption; see the
vSphere Security
guide for details.