You can check and explicitly set the current host encryption mode from the vSphere Client or by using the vSphere API; see API Methods to Prepare an ESXi Host.

After host encryption mode is enabled, it cannot be disabled easily. See the

vSphere Security

guide for details.

Automatic changes occur when encryption operations attempt to enable host encryption mode. For example, suppose that you add an encrypted virtual machine to an ESXi host, and host encryption mode is not enabled. If you have the required privileges on the host, encryption mode automatically changes to enabled.

Assume a cluster that includes three ESXi hosts, host A, B, and C. You add an encrypted virtual machine to host A. What happens depends on several factors. If all three hosts have encryption enabled, you can create an encrypted virtual machine if you have

Encrypt new

privileges. If none of the hosts has encryption enabled, and you have

Register host

privileges on host A, then the virtual machine creation process enables host encryption on that host; otherwise an error results. The scenario is more complicated if host B or C is not enabled for encryption; see the

vSphere Security

guide for details.