vSphere vMotion always uses encryption when migrating encrypted virtual machines. For virtual machines that are not encrypted, you can select one of the encrypted vSphere vMotion options.

Encrypted vSphere vMotion secures confidentiality, integrity, and authenticity of data that is transferred with vSphere vMotion. vSphere supports encrypted vMotion of unencrypted and encrypted virtual machines across vCenter Server instances.

What Is Encrypted

For encrypted disks, the data is transmitted encrypted. For disks that are not encrypted, Storage vMotion encryption is not supported.

For virtual machines that are encrypted, migration with vSphere vMotion always uses encrypted vSphere vMotion. You cannot turn off encrypted vSphere vMotion for encrypted virtual machines.

Encrypted vSphere vMotion States

For virtual machines that are not encrypted, you can set encrypted vSphere vMotion to one of the following states. The default is Opportunistic.
Disabled
Do not use encrypted vSphere vMotion.
Opportunistic
Use encrypted vSphere vMotion if source and destination hosts support it. Only ESXi versions 6.5 and later use encrypted vSphere vMotion.
Required
Allow only encrypted vSphere vMotion. If the source or destination host does not support encrypted vSphere vMotion, migration with vSphere vMotion is not allowed.

When you encrypt a virtual machine, the virtual machine keeps a record of the current encrypted vSphere vMotion setting. If you later disable encryption for the virtual machine, the encrypted vMotion setting remains at Required until you change the setting explicitly. You can change the settings using Edit Settings.

Note: Currently, you must use the vSphere APIs to migrate or clone encrypted virtual machines across vCenter Server instances. See vSphere Web Services SDK Programming Guide and vSphere Web Services API Reference.

Migrating or Cloning Encrypted Virtual Machines Across vCenter Server Instances

vSphere vMotion supports migrating and cloning encrypted virtual machines across vCenter Server instances.

When migrating or cloning encrypted virtual machines across vCenter Server instances, the source and destination vCenter Server instances must be configured to share the Key Management Server cluster that was used to encrypt the virtual machine. In addition, the KMS cluster name must be the same on both the source and destination vCenter Server instances. The destination vCenter Server ensures the destination ESXi host has encryption mode enabled, ensuring the host is cryptographically "safe."

The following privileges are required when using vSphere vMotion to migrate or clone an encrypted virtual machine across vCenter Server instances.

  • Migrating: Cryptographic operations.Migrate on the virtual machine
  • Cloning: Cryptographic operations.Clone on the virtual machine

Also, the destination vCenter Server must have the Cryptographic operations.EncryptNew privilege. If the destination ESXi host is not in "safe" mode, the Cryptographic operations.RegisterHost privilege must also be on the destination vCenter Server.

Certain tasks are not allowed when migrating encrypted virtual machines across vCenter Server instances.

  • You cannot change the VM Storage Policy.
  • You cannot perform a key change.

vSphere Trust Authority and Encrypted vMotion

vSphere Trust Authority supports vSphere vMotion in migrating and cloning encrypted virtual machines across vCenter Server instances with the following requirements.

  • The vSphere Trust Authority service must be configured for the destination host and the destination host must be attested.
  • Encryption cannot change on migration. For example, an unencrypted disk cannot be encrypted while the virtual machine is migrated to the new storage.
  • You can migrate a standard encrypted virtual machine onto a Trusted Host. The KMS cluster name must be the same on both the source and destination vCenter Server instances.
  • You cannot migrate a vSphere Trust Authority encrypted virtual machine onto a non-Trusted Host.