What Is Encrypted vSphere vMotion (2024)

Encrypted vSphere vMotion secures confidentiality, integrity, and authenticity of data that is transferred with vSphere vMotion. vSphere supports encrypted vMotion of unencrypted and encrypted virtual machines across vCenter Server instances.

vSphere vMotion always uses encryption when migrating encrypted virtual machines. For virtual machines that are not encrypted, you can select one of the encrypted vSphere vMotion options.

What Is Encrypted in Encrypted vSphere vMotion

For encrypted disks, the data is transmitted encrypted in all cases. For unencrypted disks, the following applies:

If disk data is transferred within a host, that is without changing the host, you change only the datastore, the transfer is unencrypted.
If disk data is transferred between hosts and encrypted vMotion is used, the transfer is encrypted. If encrypted vMotion is not used the transfer is unencrypted.

For virtual machines that are encrypted, migration with vSphere vMotion always uses encrypted vSphere vMotion. You cannot turn off encrypted vSphere vMotion for encrypted virtual machines.

Encrypted vSphere vMotion States for Unencrypted Virtual Machines

For virtual machines that are not encrypted, you can set encrypted vSphere vMotion to one of the following states. The default is Opportunistic.

Disabled: Do not use encrypted vSphere vMotion.
Opportunistic: Use encrypted vSphere vMotion if the source and the destination hosts support it. Only ESXi hosts of version 6.5 and later support encrypted vSphere vMotion.
Required: Allow only encrypted vSphere vMotion. If the source or the destination host does not support encrypted vSphere vMotion, migration with vSphere vMotion is not allowed.

Migrating or Cloning Encrypted Virtual Machines Across vCenter Server Instances

vSphere vMotion supports migrating and cloning encrypted virtual machines across vCenter Server instances.

When migrating or cloning encrypted virtual machines across vCenter Server instances, the source and destination vCenter Server instances must be configured to share the key provider that was used to encrypt the virtual machine. In addition, the key provider name must be the same on both the source and destination vCenter Server instances and have the following characteristics:

Standard key provider: The same key server (or key servers) must be in the key provider.
Trusted key provider: The same vSphere Trust Authority service must be configured on the destination host.
vSphere Native Key Provider: Must have the same KDK.
Note: You cannot clone or migrate an encrypted virtual machine using vSphere Native Key Provider to a standalone host, no matter that the source host resides in a cluster.

The destination vCenter Server ensures the destination ESXi host has encryption mode set, ensuring the host is cryptographically "safe."

The following privileges are required when using vSphere vMotion to migrate or clone an encrypted virtual machine across vCenter Server instances.

Migrating: Cryptographic operations.Migrate on the virtual machine
Cloning: Cryptographic operations.Clone on the virtual machine

Also, the destination vCenter Server must have the Cryptographic operations.EncryptNew privilege. If the destination ESXi host is not in "safe" mode, the Cryptographic operations.RegisterHost privilege must also be on the destination vCenter Server.

Certain tasks are not allowed when migrating virtual machines (non-encrypted or encrypted), either on the same vCenter Server or across vCenter Server instances.

You cannot change the VM Storage Policy.
You cannot perform a key change.

Note: You can change the VM Storage Policy while cloning virtual machines.

Minimum Requirements for Migrating or Cloning Encrypted Virtual Machines Across vCenter Server Instances

The minimum version requirements for migrating or cloning standard key provider encrypted virtual machines across vCenter Server instances using vSphere vMotion are:

Both the source and destination vCenter Server instances must be on version 7.0 or later.
Both the source and destination ESXi hosts must be on version 6.7 or later.

The minimum version requirements for migrating or cloning trusted key provider encrypted virtual machines across vCenter Server instances using vSphere vMotion are:

The vSphere Trust Authority service must be configured for the destination host and the destination host must be attested.
Encryption cannot change on migration. For example, an unencrypted disk cannot be encrypted while the virtual machine is migrated to the new storage.
You can migrate a standard encrypted virtual machine onto a Trusted Host. The key provider name must be the same on both the source and destination vCenter Server instances.
You cannot migrate a vSphere Trust Authority encrypted virtual machine onto a non-Trusted Host.

Trusted Key Provider vMotion and Cross-vCenter Server vMotion

Trusted key provider fully supports vMotion across ESXi hosts.

Cross-vCenter Server vMotion is supported, but with the following restrictions.

The required trusted service must be configured on the destination host and the destination host must be attested.
Encryption cannot change on migration. For example, a disk cannot be encrypted while the virtual machine is migrated to the new storage.

When performing cross-vCenter Server vMotion, vCenter Server checks that the trusted key provider is available on the destination host, and if the host has access to it.

vSphere Native Key Provider vMotion and Cross-vCenter Server vMotion

vSphere Native Key Provider supports vMotion and Encrypted vMotion across ESXi hosts. Cross-vCenter Server vMotion is supported if vSphere Native Key Provider is configured on the destination host.