The storage policy drives the encryption for virtual machines in vCenter Server and VMware Cloud Director. Enable encryption in the storage policy and assign it to the virtual machine configuration files and its disks. The replication follows the encryption status. First encrypt the virtual machines before adding them in the replication.

Starting with VMware Cloud Director Availability 4.1, you can improve the security of your data by replicating encrypted virtual machines from one cloud site to another cloud site.
Important: Cannot replicate a vApp containing both encrypted and non-encrypted virtual machines.
If the replicated virtual machine changes from encrypted to unencrypted, reestablish the replication by stopping and then starting it.

Prerequisites

  • To replicate encrypted virtual machines, verify that later or the following versions are installed in both the source and in the destination cloud sites.
    • VMware Cloud Director Availability 4.1
    • VMware Cloud Director 10.1
    • vCenter Server 6.7 U3
  • Prerequisites for the ESXi hosts.
    • Install the HBR agent VIB in all the ESXi hosts in both the source and the destination sites. After installing the HBR agent, it encrypts the traffic originating from the source ESXi host, providing end-to-end encryption. For more information about VIBs and how to install them, see VIBs, Image Profiles, and Software Depots in the VMware ESXi Upgrade. You can download the HBR agent VIB file directly from the Cloud Replicator Appliance:
    • Either from the appliance filesystem, download the /opt/vmware/hbr/vib/vmware-hbr-agent-build_number.i386.vib file.
    • Alternatively, from the following URL download the https://Replicator_Address/hbr-agent.vib file.
  • Prerequisites for the vCenter Server instances.
    • For virtual machine encryption to work in vCenter Server, configure a Key Management Server (KMS). Use the same KMS for both the source and the destination vCenter Server instances. Make sure that the KMS cluster names also match. For information about setting up a Key Management Server cluster, see Set up the Key Management Server Cluster in the vSphere Security Guide.
    • In vCenter Server, you must also have an encryption storage policy. For more information, see Create an Encryption Storage Policy in the vSphere Security Guide and for more information about the virtual machine encryption, see Virtual Machine Encryption in the vSphere Security Guide.
  • Prerequisites for VMware Cloud Director.
    • Verify that the Organization Administrator role has the View Encryption Status of VMs and VM's disks right.
    • Add the encryption-enabled storage policy to a provider VDC. For more information, see Add a VM Storage Policy to a Provider Virtual Data Center in the VMware Cloud Director Service Provider Admin Portal Guide.
    • Add the encryption-enabled storage policy to an organization VDC. For more information, see Add a VM Storage Policy to an Organization Virtual Data Center in the VMware Cloud Director Service Provider Admin Portal Guide.
    • Create an encrypted virtual machine by applying the encryption-enabled storage policy. Replications for encrypted virtual machines can only include virtual machines with an encryption-enabled storage policy.
  • Verify that you can access VMware Cloud Director Availability as a tenant or as a service provider. For more information, see Accessing VMware Cloud Director Availability.
  • Verify that your session is extended to the site in which the vApps or virtual machines you are about to replicate reside. For more information, see Authenticating to Remote Sites.

Procedure

  1. In the left pane, choose a replication direction.
    For a replication with encrypted virtual machines, choose an incoming replication from a cloud site, or an outgoing replication to a cloud site.
  2. To create a replication for encrypted virtual machines, select either new protection or new migration.
    • Click All Actions > New Protection.
    • Click All Actions > New Migration.
  3. Complete the New Replication wizard.
    1. In the Cloud vApps and VMs page, select only virtual machines that show status Yes in the Encrypted column, and click Next.
      The Encrypted column shows status N/A when the currently logged user does not have the View Encryption Status of VMs and VM's disks right in VMware Cloud Director or the version of VMware Cloud Director does not support the encryption of virtual machines.
      Note: In a replication for encrypted virtual machines, select only encrypted virtual machines.
    2. In the Destination VDC and Storage policy page under Storage policy, select a storage policy that shows Encrypted in the Encryption capability column and click Next.
      After selecting an encrypted virtual machine, you can only select an encrypted storage policy.
    3. In the Settings page, configure the replication settings and click Next.
    4. If in the Settings page you selected Configure Seed VMs, in the Seed VM page select the seed and click Next.
    5. In the Ready to Complete page, verify that the replication settings are correct and click Finish.
    The initial synchronization of a replication containing an encrypted virtual machine takes longer to complete than a replication with the same settings that contains a non-encrypted virtual machine with the same hardware.

Results

The new replication containing encrypted virtual machines uses encryption for the data communication.