VMware VM encryption For Data Security [Best Practices & More]

VMware VM encryption For Data Security [Best Practices & More]


Leakage of confidential business information can become a true disaster for any company. Therefore, data security is an issue of prime importance for most of companies. Organizing an IT infrastructure, administrators’ top question is how to warrant a secure storage to keep sensitive business information.

In this article, I suggest having a closer look at a relatively recent method of ensuring data security , best practices and more – VMware virtual machines encryption that can become a good remedy against intruders for your organization.

Why Encrypt in VMware


Encrypting virtual machines (VMs) is an important step organizations take to protect their confidential applications and data. Encryption is a mechanism used to protect data by transforming it into an unreadable format, so that it is completely private from anyone not explicitly approved to read it through decryption.

Gaining access to encrypted information requires a person or application to possess the “key” to open the encryption formula and convert the data back to its original readable format. In this way, encryption provides a fail-safe mechanism, whereby, if all other cybersecurity measures fail and data is stolen, the information is still protected because it is unreadable and, therefore, useless to the person or machine trying to access it. The data remains secure and compliant. VMware provides several options for deploying encryption functionality.

VM Encryption enhances security in VMware vSphere 6.5

Although VM-level encryption has been around for some time, it's been riddled with problems. VMware aims to change all that with the new VM Encryption tool in vSphere 6.5.

In spite of its ability to secure VMs against unauthorized use, VM-level encryption has been a slow starter, in large part due to bugs in the system. VMware hopes to smooth out these kinks with its own VM Encryption tool, included in vSphere 6.5

VSphere 6.5 VM Encryption doesn't occur within the guest OS, but rather at the hypervisor of Virtual Machine File System level. This way, there's nothing to install in the guest OS in either Windows or Linux.

How vSphere Virtual Machine Encryption Protects Your Environment

With vSphere Virtual Machine Encryption, you can create encrypted virtual machines and encrypt existing virtual machines. Because all virtual machine files with sensitive information are encrypted, the virtual machine is protected. Only administrators with encryption privileges can perform encryption and decryption tasks. - source

What Keys Are Used

Two types of keys are used for encryption.

  • The ESXi host generates and uses internal keys to encrypt virtual machines and disks. These keys are used as data encryption keys (DEKs) and are XTS-AES-256 keys.
  • vCenter Server requests keys from the KMS. These keys are used as the key encryption key (KEK) and are AES-256 keys. vCenter Server stores only the ID of each KEK, but not the key itself.
  • ESXi uses the KEK to encrypt the internal keys, and stores the encrypted internal key on disk. ESXi does not store the KEK on disk. If a host reboots, vCenter Server requests the KEK with the corresponding ID from the KMS and makes it available to ESXi. ESXi can then decrypt the internal keys as needed.

What does 'encrypted' mean?

  vSphere Virtual Machine Encryption supports encryption of virtual machine files, virtual disk files, and core dump files.

Virtual machine files
Most virtual machine files, in particular, guest data that are not stored in the VMDK file, are encrypted. This set of files includes but is not limited to the NVRAM, VSWP, and VMSN files. The key that vCenter Server retrieves from the KMS unlocks an encrypted bundle in the VMX file that contains internal keys and other secrets.
If you are using the vSphere Client to create an encrypted virtual machine, you can encrypt and decrypt virtual disks separate from virtual machine files. If you are using the vSphere Web Client to create an encrypted virtual machine, all virtual disks are encrypted by default. For other encryption tasks, for both clients, such as encrypting an existing virtual machine, you can encrypt and decrypt virtual disks separate from virtual machine files.

All VM files -- including Virtual Machine Disk files, virtual machine executable (VMX) configuration files, snapshot files and VMX swap files -- are stored in folders. All files stored in folders are encrypted.

Encryption is managed by the hypervisor, rather than the guest VM, which means the keys are not exploitable through the VM's memory.

VM encryption is implemented based on the AES-NI algorithm. Key management is organized according to the KMIP 1.1 standard. Encryption of VM objects takes place at the host level. Therefore, guest OS does not have access to encryption keys. Encrypted virtual machines move between ESXi hosts by means of an encrypted vMotion.

With VMware VM encryption, encryptable and not-encryptable virtual machine data are as follows:

VM files

Log files

Virtual disk files

VM configuration files

Host core dump files

Virtual disk descriptor files

How VMware VM encryption works


To start with, let’s break down the three major VMware VM components:

  • Key Management Server (KMS) is a server for managing keys. VMware uses KMS to generate and save keys. Later, it sends keys to vCenter. It is possible to use external systems that work following the KMIP standard as KMS. You can find VMware-certified KMS listed in this file.
  • Key Encryption Key (KEK) is an encryption key generated and sent over to vCenter by KMS. vCenter, in its turn, sends KEK to ESXi hosts. KEK deploys the AES-256 encryption algorithm.
  • Data Encryption Key (DEK) is an encryption key generated by an ESXi host. It is used for encryption/decryption of virtual machines. DEK deploys the XTS-AES-256 encryption algorithm.
  • After KEK is generated, KMS saves the key on its side and sends it over to vCenter for distribution.
  • Upon the KEK receipt from KMS, vCenter sends over the key to the ESXi host.
  • Upon the KEK receipt from vCenter, the ESXi host uses it to encrypt the DEK.
  • After encryption, the ESXi host saves the encrypted key at its memory cache The ESXi host is responsible for these functions:
  • Encryption of VM disks
  • Sending encrypted guest data to encrypted virtual machines via network

Important note: vCenter does not store and does not save KMS keys, it keeps the list of key identifiers only.

Note 2: It’s also good to know if your processor supports a set of AES-NI instructions, then encryption and decryption operations will be processed faster.

Some risk management

Now that we know how VM encryption works with VMware, let’s take a closer look at some scenarios you should keep in mind if things go wrong.

Scenario 1. What if the host has been rebooted?

The keys that have encrypted the host data will be deleted from the host memory after the reboot. However, the keys will be retrieved from KMS by the identifier and will be transferred to the host via vCenter as soon as the host reconnects to vCenter.

Scenario 2. What if vCenter is unavailable?

Virtual machines and hosts will work as usual because the encryption key is saved to the host memory cache. If vCenter is…“dead”, recover it from a backup. If you don’t have a backup, install a new vCenter and reconnect it to KMS.

Scenario 3. What if KMS server is unavailable?

Recover the KMS from a backup as soon as possible. KMS takes the first place by the accessibility priority after you opt for encryption in your infrastructure. Loss of KMS is a risk with the highest priority. It can result in a total loss of data and perhaps your whole business!

More recommendations on what to consider when implementing encryption are available at the official VMware web-site.

To turn on the VM encryption, change Storage Policy to Encryption Policy in the VM.

To turn off, change Storage Policy from Encryption Policy to any other.

Сhange Storage Policy from Encryption Policy

VMware vSphere 6.5 - VM encryption workflow


My DOs and DON’Ts advice

Do backups of KMS, vCenter and virtual machines.

Don’t encrypt vCenter Server Appliance.

Deploy KMS at a separate host.

Don’t edit VMX and VMDK files. These files include an encryption pattern. The changes might make virtual machine recovery impossible.

Build a KMS cluster from 2-3 hosts.

Install KMS to a public cloud, e.g. Amazon or Azure, for the sake of disaster resiliency.

Virtual Machine Encryption Best Practices

General Best Practices

Follow these general best practices to avoid problems.

  • Do not encrypt any vCenter Server Appliance virtual machines.
  • If your ESXi host fails, retrieve the support bundle as soon as possible. The host key must be available for generating a support bundle that uses a password, or for decrypting a core dump. If the host is rebooted, it is possible that the host key changes. If that happens, you can no longer generate a support bundle with a password or decrypt core dumps in the support bundle with the host key.
  • Manage KMS cluster names carefully. If the KMS cluster name changes for a KMS that is already in use, a VM that is encrypted with keys from that KMS enters a locked state during power-on or register. In that case, remove the KMS from the vCenter Server and add it with the cluster name that you used initially.
  • Do not edit VMX files and VMDK descriptor files. These files contain the encryption bundle. It is possible that your changes make the virtual machine unrecoverable, and that the recovery problem cannot be fixed.
  • The encryption process encrypts data on the host before it is written to storage. Backend storage features such as deduplication and compression might not be effective for encrypted virtual machines. Consider storage tradeoffs when using vSphere Virtual Machine Encryption.
  • Encryption is CPU intensive. AES-NI significantly improves encryption performance. Enable AES-NI in your BIOS.

Backup and Restore Best Practices

Set up policies on backup and restore operations.

  • Not all backup architectures are supported. See Virtual Machine Encryption Interoperability .
  • Set up policies for restore operations. Because backup is always in cleartext, plan to encrypt virtual machines right after restore is complete. You can specify that the virtual machine is encrypted as part of the restore operation. If possible, encrypt virtual machine as part of the restore process to avoid exposing sensitive information. To change the encryption policy for any disks that are associated with the virtual machine, change the storage policy for the disk.
  • Because the VM home files are encrypted, ensure that the encryption keys are available at the time of a restore.


Data has become too valuable as an asset for the business to ever ignore its security. To date, encryption at a virtual level might be the most reliable way to store and manage your important information. Here, I’ve given a deeper insight of what VMware VM encryption is, how it works as well as what to consider to mitigate your risks. Hope, I’ve inspired you to use encryption as a method of data security.



Web Security Expert

@WP Hacked Help [ Security Blog ]

Version history
Revision #:
1 of 1
Last update:
‎07-25-2019 10:42 PM
Updated by: