Encrypted VMs are backed up in the same way as standard VMs, with the only difference being that the backed-up disk data is default in ciphertext.

Supported in SCP & HCI 6.11.3 and later: Configure the disk data read from encrypted virtual machines to be plaintext.

• HotAdd mode:

When hot-adding a VM system disk via the SCP OpenAPI:

PUT /janus/20250725/servers/{server_id}Set disks.data_plaintext = 1 to indicate the read disk data is plaintext.

• NBD mode (including NBDSSL):

When opening a VM system disk using sfvddk via sfdisklib_open,the flags parameter must include SFDISKLIB_FLAG_DATA_PLAINTEXT to indicate the read disk data is plaintext.

Decryption and re‑encryption can be performed on encrypted VMs in SCP, which will definitely change the VM’s encryption key.If backup data is ciphertext, data backed up before the key change cannot be booted after restoration.In SCP & HCI 6.11.3 and later, key changes can be identified by backing up the key fingerprint of the encrypted VM:

SCP:GET /janus/20240725/servers/{server_id}/snapshots/{id}

The field crypto_fingerprint in vmconf.advanced_option is the key fingerprint.