vCenter: 6.7 (latest update); vSphere: 6.5 (latest update)
I am having an issue with migrating or copying VMs - hot or cold - that use encryption via either 'Migrate' or 'Copy' in vCenter 6.7. Both the source vSphere server ('source') and the destination ('destination'), both running vSphere 6.5, have encryption enabled and reference the same KMS cluster; I can encrypt VMs on both servers with no problem.
However when I start a migration process of an encrypted VM from server1 to server2, despite choosing "Keep existing VM storage policies" (or selecting "VM Encryption Policy" explicitly) I get an error status popup that reads:
Status: "The operation is not supported on the object."
The error in the 'events' log reads:
Changing or applying VM Storage Policies with Data Service capabilities during migrate operations is disallowed. VM Storage Policies with Data Service capabilities can be assigned to the provisioned VM after the migrate operation has been completed and before the VM has been powered on."
According to VMware knowledge base article https://kb.vmware.com/s/article/78488:
If you create a VM that is on a storage policy that has host-based rules like IOPS or VM Encryption enabled, trying to clone the VM and change the storage policy of the target VM fails with an error Changing or applying VM Storage Policies with Data Service capabilities during clone operations is disallowed. This is a known limitation of the vSphere 6.5/6.7 release.
It says the workaround is:
"to have a homologous setting on the datastores (source and destination) neither with SIOC enabled or not.".
Certainly VMware customers have been able to migrate encrypted VMs to other hosts within the release lifetime of 6.5 and 6.7 without having to fully decrypt, transfer, and re-encrypt. This seems both superfluous and insecure.
Anyone know what I'm doing wrong/missing here? Thank you!