How to automate VM disk encryption with PowerCLI

A few days ago I wrote an article about disk encryption, you can read it clicking on this link. This is noce and easy method if we have one or two Virtual Machines to encrypt, but what to do if we have a 10, 100 or more of them?

In the case of large amount of VMs we can automate the process. Let’s have a look how to approach this.


  • vCenter server must be configured and connected with the KMS server.  Please refer to this article: How to connect vCenter with external KMS
  • ESXi servers that will run encrypted VM’s must be allowed to communicate with KMS server over TCP.
  • Create an encryption storage policy or use the bundled sample, VM Encryption Policy.
  • Downtime is required, VM must be powered off.


  1. Download the scripts (all of them)
  1. Prepare CSV file with input as follows:
  • Option A – use “vms” header and provide list of VM’s. Script will loop thru the list of VM’s and will shutdown VM, encrypt disk, power ON VM and proceed to next VM in the csv.
  • Option B – use “hosts” header and provide list of ESXi hosts. Script will retrieve list of VM’s on an ESXi hosts in the csv and similar to above it will loop thru the list of VM’s on an ESXi hosts and will shutdown VM, encrypt disk, power on VM and proceed to next VM on the ESXi host. Once all VM’s on an ESXi host are encrypted, then it will proceed to another ESXi host in the csv.
  1. Open Powershell ISE
    • Change path to the folder where the scripts were downloaded
  1. Run the encrypt-vm.ps1 script:
    • provide path to a cvs file
    • enter vCenter server name

NOTE: The script will execute Disconnect-VIServer to make sure there are no duplicated sessions. If you were not connected to the vCenter server you will see an error message. You can ignore that message.

NOTE: If you haven’t used Powershell with PowerCli Module for vSphere management then configure the runtime environment as follows:

Set-PowerCLIConfiguration -DefaultVIServerMode Multiple -InvalidCertificateAction Ignore -ParticipateInCeip:$false -Scope User -Confirm:$false

NOTE: All VM’s or ESXi hosts included in a csv file must exist in an inventory of a single vCenter server. If multiple VM’s or ESXi hosts from various vCenter servers need to be encrypted, then create multiple csv files and execute script for each csv.


You need download all files from Github repository. Make sure the files are in same folder or change patch in line 20.

Import-Module -Name .\vmware.vmencryption.psd1

I used default VMware policy for encryption called VM Encryption Policy if you are using your own policy you need to change it in the line 103

$EncryptionPolicy = Get-SpbmStoragePolicy -name "POLICY_NAME_HERE_or_DEFAULT_ONE"

In line 111 and 122 you need to provide your KMS Cluster ID

Get-VM $v | Enable-VMEncryption -policy $EncryptionPolicy -KMSClusterId "KMS_ID"

If you do not know how to connect to KMS, please read this article: -> How to connect vCenter with external KMS

NOTE: to use Get-SpbmStoragePolicy you need to update PowerCLI to version 12.4 -> How to upgrde PowerCLI in PowerShell

Please like and share to spread the knowledge in the community.

If you want to chat with me please use Twitter: @AngrySysOps

Visit my FB page:

Read my blog:

Subscribe to my channel :

Please leave the comment