Yes, I know facets of encryption-inside-VMware have been discussed here many times, but I think my request/idea differs a little from many other requests, so if you lend me your ear for a moment...
Let's say, for example, I have a security-sensitive VM that only needs to be powered on for a couple hours every once in a while, maybe twice a year, for example. All the rest of the year when that VM is powered down, I need to protect its contents even from other vCenter admins. One option is that I would have to SCP the VMDK(s) out of the VMFS storage and keep it secured/encrypted on another external system when not in use, and re-copy and reconfigure every time I need to boot it up.
But my idea & question is: is there a way I could leave the VMKD(s) in place, inside our VMFS on highly-redundant SAN, but encrypt those files in-place (e.g. with TrueCrypt, PGP, or the like) when not actively in use? Thus, anytime I needed to boot the VM I would first have to decrypt the VMDK(s), but after shutting down the VM and re-encrypting the files, they are still backed up (in encrypted form), HA/DR-ready, and all that.
It seems this might have been easier in the days of the "thick" hypervisor, when it might have been possible to compile TrueCrypt inside ESX. Now with ESXi, maybe it's only possible to mount the VMFS LUN from an external system and encrypt or decrypt from there.
I suppose another question is then if ESX or vCenter would be try to access the VMDK in its offline state and choke on the unreadable encrypted file... in which case I would probably still have to remove the VM's configuration after each use and reconfigure (or re-import the VMX) every time the VM needs to power on again, which loses some of the benefits of leaving the file in the VMFS.
Your thoughts?