Starting with vSphere 6.5, vSphere vMotion always uses encryption when migrating encrypted virtual machines. For virtual machines that are not encrypted, you can select one of the encrypted vSphere vMotion options.

Encrypted vSphere vMotion secures confidentiality, integrity, and authenticity of data that is transferred with vSphere vMotion.

  • vSphere supports encrypted vMotion of unencrypted virtual machines across vCenter Server instances.
  • vSphere does not support vMotion of encrypted virtual machines across vCenter Server instances. Because one vCenter instance cannot verify that another vCenter instance is connected to the same Key Management System cluster, the proper encryption keys are not available for successful VM encryption operation. As a result, vMotion in this situation is not currently supported.

What Is Encrypted

For encrypted disks, the data is transmitted encrypted in all cases. For unencrypted disks, the following applies:
  • If disk data is transferred within a host, that is without changing the host, you change only the datastore, the transfer is unencrypted.
  • If disk data is transferred between hosts and encrypted vMotion is used, the transfer is encrypted. If encrypted vMotion is not used the transfer is unencrypted.

For virtual machines that are encrypted, migration with vSphere vMotion always uses encrypted vSphere vMotion. You cannot turn off encrypted vSphere vMotion for encrypted virtual machines.

Encrypted vSphere vMotion States

For virtual machines that are not encrypted, you can set encrypted vSphere vMotion to one of the following states. The default is Opportunistic.
Disabled
Do not use encrypted vSphere vMotion.
Opportunistic
Use encrypted vSphere vMotion if source and destination hosts support it. Only ESXi versions 6.5 and later use encrypted vSphere vMotion.
Required
Allow only encrypted vSphere vMotion. If the source or destination host does not support encrypted vSphere vMotion, migration with vSphere vMotion is not allowed.

When you encrypt a virtual machine, the virtual machine keeps a record of the current encrypted vSphere vMotion setting. If you later disable encryption for the virtual machine, the encrypted vMotion setting remains at Required until you change the setting explicitly. You can change the settings using Edit Settings.