Encrypting a VM can be done either using or the VBoxManage. To encrypt an unencrypted VM with VBoxManage, use:

VBoxManage encryptvm uuid|vmname setencryption --new-password filename|- \
--cipher cipher-ID --new-password-id ID
                  

To supply the encryption password, point VBoxManage to the file where the password is stored or specify - to let VBoxManage prompt for the password on the command line.

The cipher parameter specifies the cipher to use for encryption and can be either AES-128 or AES-256. The appropriate mode of operation, such as GCM, CTR, or XTS will be selected by the VM depending on the encrypting component. The specified password identifier can be freely chosen by the user and is used for correct identification when supplying multiple passwords for the VM.