You can encrypt Fault Tolerance log traffic.

vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so that the secondary VM can quickly resume from the last successful checkpoint. The checkpoint contains the VM state that has been modified since the previous checkpoint. You can encrypt Fault Tolerance log traffic.

When you turn on Fault Tolerance, FT encryption is set to Opportunistic by default, which means it enables encryption only if both the primary and secondary host are capable of encryption. Follow this procedure if you need to change the FT encryption mode manually.

Note: Fault Tolerance supports vSphere Virtual Machine Encryption with vSphere 7.0 Update 2 and later. In-guest and array-based encryption do not depend on or interfere with VM encryption. Having multiple encryption layers uses additional compute resources, which might impact virtual machine performance. The impact varies with hardware as well as the amount and type of I/O, but overall performance impact is negligible for most workloads. The effectiveness and compatibility of back-end storage features such as deduplication, compression, and replication might also be affected by VM encryption.


FT encryption requires SMP-FT. Encryption on Legacy FT (Record-Replay FT) is not supported.


  1. Select the VM and choose Edit Settings.
  2. Under VM Options select the Encrypted FT drop-down menu.
  3. Choose one of the following options:
    Option Description
    Disabled Do not turn on encrypted Fault Tolerance logging.
    Opportunistic Turn on encryption only if both sides are capable. A Fault Tolerance VM is allowed to move to an ESXi host which does not support encrypted Fault Tolerance logging.
    Required Choose hosts for Fault Tolerance primary and secondary that both support encrypted FT logging.
    Note: While VM encryption is enabled, FT encryption mode is set to Required by default and cannot be modified.

    When FT encryption mode is set to Required:

    • When you turn on FT, only FT encryption supported hosts are listed for the placement of FT secondary.
    • FT failover can only happen on the FT encryption supported hosts.
  4. Click OK.