In this article, let’s see how to enable ESXi Host Encryption in the vSphere 6.5 environment. Some Virtual Machine Encryption tasks enables ESXi Host Encryption automatically if the account has the relevant privileges. One important thing, Virtual Machine Encryption can be enabled only if you enable the ESXi Host level encryption. Encryption tasks are possibly only in environments that include vCenter Server.
After host encryption mode is enabled, all core dumps are encrypted to avoid the release of sensitive information from your secure Virtualized environment. If you no longer use the Virtual Machine encryption you can disable the Host Encryption. Disabling Host Encryption is not that easy and let’s see how we can work with these settings.
vCenter Cryptography Privileges and Roles
By default, vCenter Server administrator has all the relevant privileges. Also, there is a No cryptography administrator role which does not have the Cryptography Privileges.
Cryptographic Operations Privileges:
- Global -> Diagnostics
- Host -> Inventory -> Add host to cluster
- Host -> Inventory -> Add standalone host
- Host -> Local operations -> Manage user groups
This is a sample output for the No Cryptography administrator Role privileges
How to Enable ESXi Host Encryption
To enable the Host encryption “Cryptographic operations.Register host” privilege is required.
Login to the vSphere client, click on Host->Configure->Security Profile. Click on “Edit” under “Host Encryption Mode”
Set the Encryption Mode to Enable and click “OK”
How to Disable the Host Encryption Mode
If you are no longer use the Virtual Machine Encryption you can disable the Host Encryption. Enabling the Host Encryption mode is just a easy task if you have the right privileges. But disabling Host Encryption is bit of a pain. Unfortunately, I don’t have the screencaptures to show you the steps and if I get a chance in the future I will update the post with the screen captures.
To disable the Host Encryption follow the below Steps:
- Unregister all encrypted virtual machines from the host
- Unregister the host from vCenter Server
- Reboot the host
- Register the host with vCenter Server again
If you found this post as useful please rate the post and share it!