Replicating Encrypted Virtual Machines

You can improve security and protection of your data by replicating encrypted virtual machines.

Warning: vSphere Replication 8.8 does not support vSphere 7.0 Update 2 if virtual machine encryption is switched on. To use virtual machine encryption with vSphere Replication 8.8, you must use vSphere 7.0 Update 2c or later.

You can replicate virtual machines if you are running vSphere 6.7 Update 1 or later. Ensure that you either use a common Key Management Server (KMS) or that the Key Management Server clusters at both sites use common encryption keys. Ensure that the KMS server is registered with the same name both at the source and target sites. For information about how to set up a Key Management Server cluster, see the VMware vSphere ESXi and vCenter Server 6.7 documentation.

An encrypted virtual machine can have both encrypted and unencrypted disks and you must follow different policies for each type.

When you specify the VM Storage Policy for target disks in a replication, you must set a storage policy with VM Encryption enabled at the target if the source disks are encrypted. For unencrypted source disks, you must set a storage policy without VM Encryption enabled at the target.

If you use replication seeds, target disks for encrypted source disks must be encrypted and target disks for unencrypted source disks must be unencrypted. Replica disks can have different encryption keys from the source disks.

If you do not use seed disks, replica disks are encrypted with the same encryption key as the source VM disks.

When you configure a replication of an encrypted VM, encryption of the transferred data is automatically switched on to enhance data security and you cannot switch it off.

For more information on VM encryption, see Virtual Machine Encryption in the vSphere Security documentation.

For information about enabling virtual machine encryption for an already replicated VM, see Enable VM Encryption for an Already Replicated VM.

vSphere Native Key Provider

VMware vSphere^® Native Key Provider™ enables encryption-related functionality without requiring an external key server (KMS). Initially, vCenter Server is not configured with a vSphere Native Key Provider. You must manually configure a vSphere Native Key Provider. See Configuring and Managing vSphere Native Key Provider in the VMware vSphere Product Documentation.

Requirements for using vSphere Native Key Provider for encrypting virtual machines and virtual disks:

You need vSphere 7.0 Update 2c or later.
You must purchase the vSphere Enterprise+ edition.

You must configure a vSphere Native Key Provider on both the local and remote sites. The vSphere Native Key Provider ID of the encrypted VM on the local site must match the vSphere Native Key Provider ID on the remote site.

To use encryption with a vSphere Native Key Provider for replicated virtual machines, the replica disks must be located on datastores, which are accessible through at least one host, which is a part of a vCenter cluster.

For more information, see Configuring and Managing vSphere Native Key Provider in the VMware vSphere 7.0 Product Documentation.