You can activate the network encryption of the replication traffic data for new and existing replications to enhance the security of data transfer.
You can activate encryption of replication traffic flows from the source ESXi host to the datastore at the target site.
The vSphere Replication appliance automatically installs an encryption agent on the source ESXi hosts. For ESXi hosts that are part of the vSphere Lifecycle Managed clusters or standalone ESXi hosts managed by vSphere Lifecycle Manager, the encryption agent is added as part of the desired state of the ESXi image. vSphere Lifecycle Manager takes care of installing the encryption agent on the hosts. For ESXi hosts that are not managed by vSphere Lifecycle Manager, the encryption agent is installed by vSphere Replication Management Server through the Patch Manager.
The network encryption uses secure transport protocol TLSv1.2.
The encrypted replication traffic uses mutual certificate-based authentication between the source ESXi host and target site vSphere Replication server.
When configuring or reconfiguring a replication, the vSphere Replication Management Server (VRMS) updates the source virtual machine configuration with a thumbprint of the target vSphere Replication server certificate. VRMS registers each vSphere Replication server at the target site with the certificates of all ESXi hosts from the source site. The registration is done separately for each paired vSphere Replication site.
VRMS exchanges data for the leaf certificates of the endpoints of the encrypted replication traffic, regardless of the certificate authorities for the source ESXi host and the target vSphere Replication server.
You can run the shell command esxcli software vib list
on the source ESXi host and look for the vmware-hbr-agent VIB to make sure the agent is available in your system.
When the network encryption feature is switched on, the agent encrypts the replication data on the source ESXi host and sends it to the vSphere Replication appliance on the target site. The vSphere Replication server decrypts the data and sends it to the target datastore.
Unencrypted traffic goes through port 31031 on the source ESXi hosts and the vSphere Replication appliance on the target site.
Encrypted traffic goes through port 32032 on the source ESXi hosts and the vSphere Replication appliance on the target site.
If you configure a replication of an encrypted VM, the network encryption is automatically turned on and cannot be deactivated.