How to backup / restore encrypted VMs in vSphere 6.5

Update – 5/25/17 – it has taken me longer than I had hopped but I have figured this out, and in fact an writen a Veeam technical white paper on it.  When I am done and things are good – and the paper published – I will ‘mark’ myself done below.


Hi all,

This is something I have been thinking on for a while.  And I have talked to a lot of people about it.  I think I know how it works and I am going to write it down here.  I will update this as I get to test things.  Any comments or corrections or suggestions welcome.

Note: vSphere 6.5 came out Tuesday November 15, and Veeam B&R 9.5 came out Wednesday November 16.  Both are releases that started small, and ended up big.  Veeam is working hard to support vSphere 6.5 but with the number of new things in it – that you can see and you cannot see – it will take us a bit.  Officially it is 30 – 60 days – but really I can say it will take as long as it needs plus about 2 days.

How to backup an Encrypted VM

  • You will likely need to upgrade your backup software to a version that supports vSphere 6.5.
  • You will need to have your software inside a VM, and that VM will need to be encrypted.
  • The account that your software runs on, or talks to vCenter with, needs to have an extra right / permission.  This is on top of what they normally need. This right is Cryptographer.DirectAccess.  As I start testing this I will add screen shots.
  • This will allow the backup software to backup the encrypted VM but it will NOT be encrypted after the backup.
  • The backup software should likely encrypt the VM as it is backed up.

How to restore a complete encrypted VM

  • You will need to have the steps above complete!
  • You will restore your VM, and as that is done the backup software encryption will be removed, and as part of the restore you will select a policy that is the encryption policy – if that is appropriate.  So the encrypted backup will be decrypted as it is written out and encrypted (by vSphere)  as it is written.

I believe this is correct but, I need to test it.  There are some other questions too:

  • How will a restore work – or will it work, if the VM being restored is already in the vSphere 6.5 world?  Before 6.5 this was common and it means the restore was faster since some of the bits are there.  I think that this may not work?  Workaround will be easy if so – delete the existing VM and restore. Update: Correct, will not work.
  • Will restore a file to an encrypted VM work?  Think not, but you never know.
  • Will restore a file to anywhere work?  Think not, but you never know.
  • Instant restore a VM – will it work?  Not sure.

With what I see in the world today – it is very good that VMware has provided us customers with a very nice option for encrypting the VMs. I am very impressed with the architecture and functionality, but now I need to see how backups and restores work!

Here is an article that is a good collection of vSphere 6.5 security articles / info and I am told it will be updated as time goes on – thanks Mike. vSphere 6.5 doesn’t just have encryption but Secure Boot, and actionable log messages too so it is a big security release for sure.

I will update this document as I learn more, and feel free to ask questions or comment.


  • 5/25/17 – it has taken me longer than I had hopped but I have figured this out, and in fact an writen a Veeam technical white paper on it.  When I am done and things are good – and the paper published – I will ‘mark’ myself seeing what I guessed as right.
  • 2/1/17 – I have upgraded my lab to vSphere 6.5, and am working on testing this article out.  However, I have hit an issue with one of my servers.  It is a Dell R710 and it is not supported for VM Encryption so that makes it hard to test the backup of encrypted VMs out since it is part of my cluster.  In fact I have a few of them!  Anyone want to buy one?  I am building out my work lab next week and will finish off testing at that time.  In fact, I will have suggestions to make this better and some very useful info.
  • 12/18/16 – if you want to enable or work with VM encryption using PowerCLI this article will help.
  • 11/24/16 – saw this article that looks at encrypted VM performance and it is quite interesting too.  Good info on performance but also quite good on background info.
  • 11/19/16 – added link for video on encrypting disks, and this one on setting up a KMS.
  • 11/18/16 – updated for the restore over encrypted not working.  Thanks Mike!


=== END ===

3 thoughts on “How to backup / restore encrypted VMs in vSphere 6.5

  1. Hey Michael, I know you wrote this article some time back and I’ve also looked at your white ‘Nothing in the clear’, but I was wondering something with regards to Restore of Files from the Guest OS and I’ve been struggling to find clear information on this.

    I know the Veeam capability on restore of files, but when you are dealing with an encrypted VM, is it still possible to restore a file from the guest OS (even with the latest version of Veeam v10), and how is this achieved if it is possible?

    Theory dictates this should not be doable, due to potential of a malicious user gaining access to data and managed to extract that data, but no where have I seen a limitation of Encrypted VMs on VMware (6.5 or later) is the ability to not be able to restore files, unless this is an implied limitation obviously.

    Just trying to understand more and understand the process through Veeam. Be interested in hearing from an expert.

    1. Hello Paul,

      I do not have a lab any longer, so I cannot test this. So I am not really an expert any longer. I think that the way things are done that it should be possible to restore files from the backup. But I cannot test to confirm. I apologize for this. I think maybe you should talk with Veeam support.

      I am sorry I am not more help.


Leave a Reply