You can encrypt Fault Tolerance log traffic.

vSphere Fault Tolerance performs frequent checks between a primary VM and secondary VM so that the secondary VM can quickly resume from the last successful checkpoint. The checkpoint contains the VM state that has been modified since the previous checkpoint. You can encrypt Fault Tolerance log traffic.

When you turn on Fault Tolerance, FT encryption is set to Opportunistic by default, which means it enables encryption only if both the primary and secondary host are capable of encryption. Follow this procedure if you need to change the FT encryption mode manually.


FT encryption requires SMP-FT. Encryption on Legacy FT (Record-Replay FT) is not supported.


  1. Select the VM and choose Edit Settings.
  2. Under VM Options select the Encrypted FT drop-down menu.
  3. Choose one of the following options:
    Option Description
    Disabled Do not turn on encrypted Fault Tolerance logging.
    Opportunistic Turn on encryption only if both sides are capable. A Fault Tolerance VM is allowed to move to an ESXi host which does not support encrypted Fault Tolerance logging.
    Required Choose hosts for Fault Tolerance primary and secondary that both support encrypted FT logging.
    Note: While VM encryption is enabled, FT encryption mode is set to Required by default and cannot be modified.

    When FT encryption mode is set to Required:

    • When you turn on FT, only FT encryption supported hosts are listed for the placement of FT secondary.
    • FT failover can only happen on the FT encryption supported hosts.
  4. Click OK.