VMware Workstation encryption prevents unauthorized VM access

VMware Workstation encryption helps you protect information on VMs from unauthorized users. Learn how -- and when -- to encrypt virtual machines.

VMware Workstation's encryption feature can protect sensitive data from unauthorized users. Get familiar with your options under Workstation's Access Control virtual machine settings for encryption as well as restriction.

Encryption protects the contents of a virtual machine (VM), while restriction limits how much users can modify the VM. In a production environment, you don't want VMs to boot up without the appropriate password, because unauthorized users could obtain sensitive data.

VM Access Control in VMware Workstation
Figure 1. The VMware Workstation Access Control link is how you'll change the encryption and restriction options for a VM.

Users enter a decryption password to access an encrypted VM. Without the decryption password, the VM's VMDK files are scrambled and inaccessible. VMware Workstation encryption goes beyond a boot password on physical computing hardware. With a physical computer, you can simply take out the hard drive and install it somewhere else to gain access to the contents.

How to create an encrypted virtual machine

You can only encrypt a VM once it finishes installation. Once the VM is installed, shut it down, then select it from the VMware Workstation main interface. Click "Edit virtual machine settings" and open the Options tab. In the list of available options, you'll see "Access Control" with all options disabled (see Figure 1).

Locked and loaded: Enhance VM security

Memorize VM security best practices

Never let these five VMware breaches happen

Become a vShield expert

Secure VMs like servers

Learn about View security

Click "Encrypt" and enter an encryption password (you'll have to enter it twice). Depending on the VM size and host machine's processing power, this encryption process may take a long time -- up to hours on large configurations. Once encryption wraps up, you'll enter the password again before booting up the virtual machine.

At some point, you may want to remove encryption from a VM, such as when moving a VM from Workstation to vSphere. A VM created in the relatively unsecure personal workstation environment can be encrypted, then decrypted for use in the protected vSphere data center environment. VMware does not support uploading encrypted VMs to a remote server, so encryption must be removed before that VM moves to vSphere. You'll need to remove encryption to share the VM with other users, since the encryption algorithm incorporates the local computer's information. Multiple computers cannot share access to an encrypted VM.

Making encryption changes to a Workstation VM
Figure 2. This is how to remove encryption from a VM or change the encryption password in Workstation.

You can remove encryption as easily as adding it. In the VM properties, click "Edit virtual machine settings." Enter the password and deselect the encryption option to remove encryption from the VM completely. This same interface is where you can change the encryption password.

Some administrators might expect encryption to have a detrimental impact on VM performance, but this is not the case. At the moment when you unlock the VM, the encryption key activates additional calculations. Once opened, however, the VM's contents are accessible like on any normal machine.

While VMware Workstation encryption helps to better protect virtual machines, there are some risks and limitations involved. If you lose the password, for example, you cannot access the encrypted VM or its contents. Encrypting VMs also prevents work in shared environments, including uploads from Workstation to vSphere and multiuser access situations within Workstation.

Dig Deeper on VMware ESXi, vSphere and vCenter

Virtual Desktop
Data Center
Cloud Computing