diff --git a/api/v1alpha3/virtualmachine_types.go b/api/v1alpha3/virtualmachine_types.go
index 502b331db..a5a2a765f 100644
--- a/api/v1alpha3/virtualmachine_types.go
+++ b/api/v1alpha3/virtualmachine_types.go
@@ -344,6 +344,9 @@ type VirtualMachineCryptoSpec struct {
 	// If the underlying vSphere platform does not have a default key provider,
 	// then this field is required when specifying an encryption storage class
 	// and/or a VM Class with a vTPM.
+	//
+	// If this field is set, spec.storageClass must use an encryption-enabled
+	// storage class.
 	EncryptionClassName string `json:"encryptionClassName,omitempty"`
 
 	// +optional
diff --git a/config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml b/config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml
index 6716ec3ec..ddb13cc62 100644
--- a/config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml
+++ b/config/crd/bases/vmoperator.vmware.com_virtualmachinereplicasets.yaml
@@ -1034,6 +1034,9 @@ spec:
                               If the underlying vSphere platform does not have a default key provider,
                               then this field is required when specifying an encryption storage class
                               and/or a VM Class with a vTPM.
+
+                              If this field is set, spec.storageClass must use an encryption-enabled
+                              storage class.
                             type: string
                           useDefaultKeyProvider:
                             default: true
diff --git a/config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml b/config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml
index 7778c7113..18e1b75d4 100644
--- a/config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml
+++ b/config/crd/bases/vmoperator.vmware.com_virtualmachines.yaml
@@ -3818,6 +3818,9 @@ spec:
                       If the underlying vSphere platform does not have a default key provider,
                       then this field is required when specifying an encryption storage class
                       and/or a VM Class with a vTPM.
+
+                      If this field is set, spec.storageClass must use an encryption-enabled
+                      storage class.
                     type: string
                   useDefaultKeyProvider:
                     default: true
diff --git a/docs/ref/api/v1alpha3.md b/docs/ref/api/v1alpha3.md
index 620ee59d3..b892f9dfc 100644
--- a/docs/ref/api/v1alpha3.md
+++ b/docs/ref/api/v1alpha3.md
@@ -826,7 +826,10 @@ minus any virtual disks, will be encrypted.
 
 If the underlying vSphere platform does not have a default key provider,
 then this field is required when specifying an encryption storage class
-and/or a VM Class with a vTPM. |
+and/or a VM Class with a vTPM.
+
+If this field is set, spec.storageClass must use an encryption-enabled
+storage class. |
 | `useDefaultKeyProvider` _boolean_ | UseDefaultKeyProvider describes the desired behavior for when an explicit
 EncryptionClass is not provided.
 
diff --git a/webhooks/virtualmachine/validation/virtualmachine_validator.go b/webhooks/virtualmachine/validation/virtualmachine_validator.go
index 1260ef1bb..4203ce0a6 100644
--- a/webhooks/virtualmachine/validation/virtualmachine_validator.go
+++ b/webhooks/virtualmachine/validation/virtualmachine_validator.go
@@ -514,6 +514,9 @@ func (v validator) validateCrypto(
 		allErrs = append(allErrs, field.InternalError(encClassNamePath, err))
 
 	} else if !ok {
+		// Return an error on the "vm.Spec.Crypto.EncryptionClassName" path
+		// instead of "vm.Spec.StorageClass" because the storage class is
+		// invalid due to the user's choice of encryption class name.
 		allErrs = append(allErrs, field.Invalid(
 			encClassNamePath,
 			vm.Spec.Crypto.EncryptionClassName,