Authenticating a user to access a virtual machine (VM) stored on a client computing device includes receiving user authentication credentials associated with a certificate, such as a PIN associated with a certificate housed on a smart card. The certificate is associated with a public key and a private key. The technique includes encrypting the VM to be decrypted with an unlock code, and generating a challenge string by encrypting the unlock code using the public key associated with the certificate. The challenge string is a result of encrypting of the unlock code, and the unlock code can be obtained by decrypting the challenge string using the private key. The technique further includes decrypting the challenge string using the private key to retrieve an unlock code associated with the VM, decrypting the VM with the unlock code, and causing the decrypted VM to be executed on the client computing device.