Encrypting vSphere volumes

Encrypt vSphere volumes.

In a VMware vSphere environment, you can deploy virtual machines (VMs) with encrypted storage volumes for added security. You can enable encryption on the storage volumes that you create in virtual storage area network (vSAN), virtual machine file system (VMFS), and network file system (NFS) datastores.

To encrypt vSphere volumes, you must set up a Key Management Server (KMS) on vSphere 6.5 or 6.7. For more information about setting up KMS, see the following VMware documents:

• For vSphere 6.5, see Set up the Key Management Server Cluster .
• For vSphere 6.7, see Set up the Key Management Server Cluster .

After you set up the KMS, create a storage policy to enable encryption. For more information, see the following VMware documents:

• For vSphere 6.5, see Create an Encryption Storage Policy .
• For vSphere 6.7, see Create an Encryption Storage Policy .

You can also enable encryption for existing VMs. You must edit the existing storage policy that is applied to the VMs. For more information, see the following VMware documents:

• For vSphere 6.5, see Encrypt an Existing Virtual Machine or Virtual Disk .

• For vSphere 6.7, see Encrypt an Existing Virtual Machine or Virtual Disk .

  Note: After you update the storage policy, the VMs that use this policy shut down to apply the updated storage policy. The VMs restart after the encryption is applied.

To create an encrypted volume, you must define a storage class and specify the name of the storage policy that you created for enabling encryption. See Creating a storage class for vSphere volume.

Pods in your IBM® Cloud Private cluster can now use a persistent volume claim (PVC) to claim the encrypted volumes.