You can enable the network encryption of the replication traffic data for new and existing replications to enhance the security of data transfer.
With VMware vSphere Replication 8.4, you can enable encryption of replication traffic flows from the source ESXi host to the vSphere Replication server at the target site.
The vSphere Replication appliance automatically installs an encryption agent on the source ESXi hosts in vSphere environments of version 6.0 or later.
You can run the shell command
esxcli software vib list on the source ESXi host and look for the vmware-hbr-agent VIB to make sure the agent is available in your system.
When the network encryption feature is switched on, the agent encrypts the replication data on the source ESXi host and sends it to the vSphere Replication appliance on the target site. The vSphere Replication server decrypts the data and sends it to the target datastore.
Unencrypted traffic goes through port 31031 on the source ESXi hosts and the vSphere Replication appliance on the target site.
Encrypted traffic goes through port 32032 on the source ESXi hosts and the vSphere Replication appliance on the target site.
If you configure a replication of an encrypted VM, the network encryption is automatically turned on and cannot be disabled.