VMware Cloud Community
srodenburg
Expert
Expert
‎12-20-2023 11:23 PM
Jump to solution

How to see if a VMDK is encrypted or not

Hello,

Environment: vSphere 8.0 U1.
Question:  How can I see if a VMDK has been encrypted? (VMware level virtual disk encryption)

For testing purposed, I created a new Windows 11 VM via the "add new VM wizard and chose Windows 11 64bit as the OS. It added the vTPM by itself and I just went through the wizard with the defaults.

Then, in vCenter, in the VM's "Virtual Machine Details" pane, it says "Encrypted with native key provider". It also shows a small lock icon which, when I hover the mouse-pointer over it, it displays "VM configuration files are encrypted.".

If I take that last statement literally, only the config files are encrypted and the VMDK is not.

I'm having a discussion with folks that say "don't take that statement with a grain of salt, everything is encrypted incl. the VMDK".

So, how do I verify/prove that the virtual disk, the VMDK, is indeed encrypted or not?
I cannot find the answer to this question in the documentation and if I google it, I only get replies on how to enable encryption etc. but that is NOT what I'm asking.

Note: I am aware of the PowerCLI module for VM Encryption on GitHub, but so far, all I get is this:

get-vm “Win11-Test” | Get-VMEncryptionInfo

Name                           Value
----                           -----
profile
connectState                   connected
name                           Win11-Test
disks                          {}
keyId                          VMware.Vim.CryptoKeyId

 

Can I interpret the value of "disks" being empty, and of and "keyID" not showing an ID, that this VM's single VMDK is not encrypted?

Tnx

0 Kudos
1 Solution

Accepted Solutions
zchris06
Enthusiast
Enthusiast
‎12-21-2023 05:36 PM
Jump to solution

Hi,

There are a few examples in this posting, midway through, to query which disks are encrypted. Hope it helps.

https://blogs.vmware.com/vsphere/2016/12/powercli-for-vm-encryption.html

View solution in original post

5 Replies
Kinnison
Commander
Commander
‎12-21-2023 02:59 AM
Jump to solution

Hello,


In my humble opinion everything depends on which storage policy is used (mybe as default) and the product license level since according to the documentation to encrypt ".VMDK" files you need the right one for the purpose.


I mean, even an essential KIT allows the use of a Key provider (native or otherwise) so adding a vTPM module but this does not automatically produce encrypted ".vmdk" files and it doesn't happen "automatically" even if you have adequate licenses (I usually use Enterprise plus level for my hosts) unless you deliberately "set things up for this to happen as default" (or by specific choice per VM).


I could also be wrong but I also interpret "disk as empty = non encrypted" but you can always try with a test VM and see what happens.


Regards,
Ferdinando

0 Kudos
srodenburg
Expert
Expert
‎12-21-2023 05:18 AM
Jump to solution

Ciao Fernandino,

The system runs Enterprise Plus.

I created a second test VM and gave it the factory default storage policy "VM Encryption Policy" which, according to it's description, encrypts the disk aswell.

In vCenter, in the VM's "Virtual Machine Details" pane, it says "Encrypted with native key provider". It also shows a small lock icon which, when I hover the mouse-pointer over it, it displays "VM configuration files are encrypted."
So that is exactly the same as with the first test VM, which has the NFS datastore (factory) default policy.

This is the PowerCLI output:

 

get-vm “Win11-Test2” | Get-VMEncryptionInfo

Name                           Value
----                           -----
profile                        VM Encryption Policy
connectState                   connected
name                           Win11-Test2
disks                          {}
keyId                          VMware.Vim.CryptoKeyId

 

So either that PowerCLI Module, which was updated on GitHub about 2 years ago, does not work with 8.0 U1 (on NFS storage), otherwise I have no idea why.

0 Kudos
Kinnison
Commander
Commander
‎12-21-2023 10:05 AM
Jump to solution

Hello,


In truth, I used the method you tried to use some time ago because I based it on my memory of the time, which is why I told you I could be wrong.
However, what I can tell you is that simply adding the vTPM module to a VM does not imply in principle or by default that the disk drives are also encrypted unless explicitly desired.


However, what I can tell you is that simply adding the vTPM module to a VM does not imply in principle or by default that the disk drives are also encrypted as well, unless explicitly desired via "storage policy". Usually the vCenter object says if one or more disk drives are encrypted and the information is also contained in their corresponding "file descriptor", at least in my context with "traditional storage" it works like this.


Regards,
Ferdinando

0 Kudos
zchris06
Enthusiast
Enthusiast
‎12-21-2023 05:36 PM
Jump to solution

Hi,

There are a few examples in this posting, midway through, to query which disks are encrypted. Hope it helps.

https://blogs.vmware.com/vsphere/2016/12/powercli-for-vm-encryption.html

srodenburg
Expert
Expert
‎12-22-2023 02:44 PM
Jump to solution

Thanks Chris,

One of the command in that article is exactly what I was looking for:  "Get-VM | Get-HardDisk Select Parent,Name,Encrypted"

0 Kudos