You can use Site Recovery Manager to protect and recover encrypted virtual machines with array-based protection groups, storage policy protection groups, and vSphere Replication protection groups.
Encryption protects not only your virtual machine but also virtual machine disks and other files. You set up a trusted connection between vCenter Server and a key management server (KMS). vCenter Server can then retrieve keys from the KMS as needed. You must use a KMS cluster registered with the same name on the protected and the recovery sites. For more information, see Set Up the KMS Cluster in the Administering VMware vSAN guide.
To perform a guest customization of encrypted virtual machines, Site Recovery Manager requires ESXi 6.5 or later.
For more information on virtual machine encryption, see Virtual Machine Encryption in the vSphere Security documentation.
For more information about storage policy protection groups and encrypted virtual machines, see Protect an Encrypted VM.
For more information about vSphere Replication and encrypted virtual machines, see Replicating Encrypted Virtual Machines in the vSphere Replication Administration documentation.
vSphere Native Key Provider
VMware vSphere® Native Key Provider™ enables encryption-related functionality without requiring an external key server (KMS). Initially, vCenter Server is not configured with a vSphere Native Key Provider. You must manually configure a vSphere Native Key Provider. See Configuring and Managing vSphere Native Key Provider in the VMware vSphere Product Documentation.
- You need vSphere 7.0 Update 2 or later.
- You must purchase the vSphere Enterprise+ edition.
You must configure a vSphere Native Key Provider on both the local and remote sites. The vSphere Native Key Provider ID of the encrypted VM on the local site must match the vSphere Native Key Provider ID on the remote site.
To use encryption with a vSphere Native Key Provider for replicated virtual machines, the replica disks must be located on datastores, which are accessible through at least one host, which is a part of a vCenter cluster.
For more information, see Configuring and Managing vSphere Native Key Provider in the VMware vSphere 7.0 Product Documentation.