vSphere 6.5 – Backup and Restore encrypted VMs

vSphere 6.5 – Backup and Restore encrypted VMs

New encryption gives many possibilities but also make some impact to other tasks in our environment. Let’s consider backup implications – backup and restore of encrypted disks is possible with NBD and HotAdd transport, but SAN mode does not support encrypted virtual machine backup. No API change is involved – ESXi hosts encrypt by attaching an IO Filter. To back up encrypted virtual machines using HotAdd, the backup proxy must have been encrypted as well. The backup process requires “Cryptographer.DirectAccess” permission. Data on backup media will be not encrypted!



  • SAN Mode backups not supported (SAN has no visibility in to encrypted content)
  • No API changes to Backup products
  • When using HotAdd the Backup Proxy VM must be encrypted
  • Backup User must have “DirectAccess” permission
  • Backup data is not backed up encrypted
  • Not supported with VM Encryption
    • Suspend/Resume
    • Encrypting a VM with pre-existing snapshots
    • vSphere Replication
    • Serial/Parallel port
    • Content Library
  • Don’t encrypt your vCenter or PSC VM’s  -> Because You need vCenter to get the keys!!!

Leave a Reply

Your email address will not be published. Required fields are marked *