Distributed Network Encryption (DNE) encrypts network traffic in the hypervisor based on a group-keying concept in which VMs with common features or requirements defined by the administrator share a single key. The NSX Manager provides a consumption model that supports granular, rule-based group key management.

Encryption rules contain instructions that determine what to do with individual network packets based on packet properties: authenticate and encrypt or decrypt the packet, or only authenticate it. DNE relies on a VMware-provided DNE Key Manager appliance for DNE key management.

The following figure shows how DNE and the DNE Key Manager fit into the overall NSX Transformers architecture:

Figure 1. Distributed Network Encryption Architecture

The Distributed Network Encryption architecture diagram shows how DNE and the Key Manager fit into the overall NSX Transformers architecture.

The following table describes how DNE interacts with other components.

Table 1. Distributed Network Encryption Architectural Components





NSX Manager

Includes a DNE Manager component that handles the configuration and management of the DNE service, including rules and policy management, publishing, and logging. Administrators define encryption rules, encryption rule sections, and key policies via the NSX Manager GUI or REST APIs.


NSX Controller

Includes a DNE Controller component that handles rule translation and publishing, sharding, and access control on key distribution.


DNE Agent

Agent for DNE Filter in the user world. Acts as the communication channel between DNE Filter and the following components:

  • NSX Manager (statistics)

  • NSX Controller (configuration)

  • DNE Key Manager (key distribution)

DNE Key Manager

Manages the keys used to provide encrypted and authenticated connections between two endpoints. The DNE Key Manager generates, stores, and returns keys upon request from the hypervisors. The NSX Controller controls which hypervisor gets which keys.

DNE Filter

Encrypts and authenticates network packets.

Key Concepts

The following table explains the key concepts in DNE.

Table 2. Distributed Network Encryption Key Concepts




Conversion of a message from its native format to a coded format so that only the sender and intended recipient can read its contents (preserving the confidentiality of the data).


Conversion of a message from its encrypted (coded) format back to its native format.


Process of verifying the integrity of a network packet to determine whether the packet has been tampered with.

encryption rule

Defines what data flow (source and destination) to protect, the action to perform if a match is found (encrypt and authenticate, authenticate only, or allow in plain text), and the policy enforcement point.

encryption rule section

Set of encryption rules that are managed as a group.


Cryptographic token used for authentication and encryption. Keys are paired and are of type symmetric (not public/private key pair). Each key also has a unique identifier called KeyID. Strength is 128-bit strength.

key policy

When a rule requires a key, a key policy (KP) is used to determine which key instance to use for a network packet. The KP defines all parameters and metadata for a set of keys, and the specification of a DNE Key Manager instance.

key rotation

Process of obtaining new keys from the DNE Key Manager (to replace existing keys or to add new keys). Key rotation occurs automatically (based on frequency or expiration settings) or manually (on demand). Key rotation occurs more gracefully than key revocation.

key revocation

Process of invalidating keys from being used in encryption/decryption. Revocation is typically triggered when one or more keys becomes untrusted for some reason (such as a data breach incident). Revocation stops the use of the current keys and initiates requests for new keys from the DNE Key Manager. Revocation affects traffic, as some packets could be dropped while hosts await the new key.


If a key expires and a new key is not available for reasons such as the DNE Key Manager or the central control plane not being reachable, the old key will continue to be used. A log message about this event will be written to the system log.