Unable to clone VM from encrypted template due to missing Cryptographic privileges
Article ID: 427090
Updated On:
Products
VMware vCenter Server
Issue/Introduction
- When a custom user attempts to clone a Virtual Machine from an encrypted template, the operation fails immediately with the following error : Permission to perform this operation was denied. You do not hold privileges "virtual machine vm-#### : [Cryptographic operations > Clone]"
- The failure often occurs during the "Apply Storage DRS recommendations" phase of the task. The cloning operation works otherwise for non-encrypted VM's without any issue.
- Following error is thrown under the Tasks on the vCenter Server:
Environment
VMware vCenter Server
Cause
Clone Template privilege under 'Virtual Machine' section is insufficient to clone an encrypted template. The user's assigned Role must explicitly have Cryptographic Operations privileges to decrypt the source data and re-encrypt it to the destination.
Resolution
To resolve this issue, update the Role assigned to the affected user to include the specific cryptographic privileges required for this operation.
- Log in to the vSphere Client as an Administrator.
- Navigate to Administration > Access Control > Roles.
- Select the Role currently assigned to the user encountering the error.
- Click Edit Role privileges.
- Navigate to the Cryptographic operations category.
- Select and enable the following privileges:
- Cryptographic operations > Clone
- Cryptographic operations > Encrypt
- Cryptographic operations > Decrypt
- Cryptographic operations > Recrypt
- Note: If the host encryption mode is not explicitly 'Enabled', you must also select Cryptographic operations > Register host.
- Click Save.
- Try cloning the VM again with the same custom user.
Additional Information
Feedback
Yes
No
Powered by
