Encrypted vMotion Best Practices


VMware vSphere Encrypted vMotion protects VMs as they live-migrate between ESXi hosts using vMotion. This is a collection of common considerations when implementing Encrypted vMotion. Please also refer to the Frequently Asked Questions list and Introduction videos found at https://core.vmware.com/encrypted-vmotion.

Encrypted vMotion Design Considerations

Encrypted vMotion is very straightforward. Designing an environment to take advantage of this feature is as simple as enabling it on a per-VM basis.

Encrypted vMotion Tips & Tricks

Set Encrypted vMotion on your virtual machine templates so that new virtual machines inherit the proper settings.

The default setting for Encrypted vMotion is “Opportunistic.” Set it to “Required” to ensure that vMotion occurs with encryption.

Use PowerCLI to audit and update virtual machines at scale. To get started, use the Code Capture feature of the vSphere Client to generate a sample Powershell script which can be edited to work across your entire environment.

Summary and Additional Resources

Additional Resources

Please visit the vSphere security resources at https://core.vmware.com/security.

Change Log


Original publication.

About the Authors

This document is maintained by Bob Plankers, Senior Technical Marketing Architect, VMware.


The purpose of this document is to answer questions that may fall outside the scope of product documentation and system design guidance. Your feedback is valuable. To comment on this document please contact Bob Plankers at rplankers@vmware.com. Thank you.

Filter Tags

Security vSphere vSphere 6.5 vSphere 6.7 vSphere 7 Encrypted vMotion Document Best Practice Intermediate