Workload: How To Encrypt the Appliance VM
search cancel

Workload: How To Encrypt the Appliance VM


Article ID: 286083


Updated On:


Carbon Black Cloud Workload


To encrypt the VMware Carbon Black Workload Appliance VM


  • Carbon Black Cloud Workload Appliance: All Supported Versions
  • vCenter Server: All Supported Versions


  1. Ensure prerequisites are met:
    • At least one vCenter Server
    • At least one ESX Server with enough storage
    • At least one KMPI 1.1 Compliant KMS Server
  2. Add KMS to vCenter Server:
    1. Navigate to Configure > Security > Key Providers
    2. Click "Add Standard Key Provider" add add the server address/port number
    3. Enable trust between KMS and vCenter:
  3. Confirm ESX host has encryption mode enabled under Configure > System > Security Profile
  4. Power the Carbon Black Workload Appliance off
  5. Encrypt the VM by navigating to Configure > Policies > select "VM Encryption Policy"
  6. On the Appliance VM "Summary" tab, there should now be a lock logo next to the Linux logo
  7. Power the Appliance back on

Additional Information

  • After encrypting the appliance VM, any attempts to migrate VM to another VC (Which does not have KMS cluster Authentication) will error. Only migrations of this VM to another ESX under same VC (or VC with same kms authentication) it will migrate.
  • To encrypt any new appliances, select "Encrypt this Virtual Machine" while deploying the OVF Template. This option will be on the "Select Storage" section.
  • If error "Storage profile is only supported when the target resource pool is backed by a cluster." is presented while creating newly encrypted appliance VM, move the ESXI host under existing cluster, or create a new cluster in VC.
  • If error "The VMware vSphere with Operation Management 6 Enterprise license for Host “” does not include “Vsphere VM Encryption”. Upgrade the license." is presented, you will need to upgrade your license to resolve this.
  • For further assistance please contact VMware Support