Encrypted vMotion Frequently Asked Questions

Introduction

VMware vSphere Encrypted vMotion protects VMs as they live-migrate between ESXi hosts using vMotion. This is a collection of common questions asked of VMware.

Questions

Do I need a KMS for Encrypted vMotion?

No. Encrypted vMotion does not use a KMS, as the encryption keys used are ephemeral and not stored anywhere except temporarily in memory of vCenter Server and the two ESXi hosts involved.

How does this impact VM performance?

There is a great paper from the VMware Performance team on the effects of Encrypted vMotion on system performance. It was written for vSphere 6.5 but the findings still hold today, and newer CPUs help mitigate the effect even more. In short, there is CPU overhead, but it’s only while the vMotion is occurring, and it is minimal.

What additional components do I need to enable Encrypted vMotion?

Nothing – Encrypted vMotion is a native part of vSphere and can be enabled directly on VMs.

Does Encrypted vMotion work with Storage vMotion?

Yes – Storage vMotion continues to work in the same way.

Does an encrypted VM use Encrypted vMotion?

Yes – a VM that is protected with VM Encryption will require encrypted vMotion.

Can I require Encrypted vMotion for all vMotions in my cluster?

Encrypted vMotion is a setting on each VM, but not at the cluster level. You can use PowerCLI to set it on all your VMs.

How do I use vSAN Encryption with Encrypted vMotion?

In exactly the same way as you would with normal vMotion – it works perfectly.

Does Encrypted vMotion cause a VM to be slower?

Encrypted vMotion only happens when a VM is being migrated between hosts and does not affect VM performance at other times.

Where are the encryption keys stored?

Encrypted vMotion uses a temporary, one-time 256-bit cryptographic key generated by vCenter Server and shared with the source and destination ESXi hosts for use by that single vMotion operation. After that vMotion is complete the key is discarded and never reused, and it is never stored anywhere but memory.

How can I ensure that the encryption keys are purged from memory?

Reboot the affected ESXi hosts and vCenter Server.

Does Encrypted vMotion use TLS?

For performance & workload isolation reasons the transfer between ESXi hosts does not use TLS. Instead, it uses AES-GCM algorithms which are FIPS-validated. If a vMotion is between hosts managed by different vCenter Servers in Enhanced Linked Mode the vCenter Servers will protect their communications using TLS. The key distribution communications between vCenter Server and the ESXi hosts is done over a connection protected by TLS.

Summary and Additional Resources

Additional Resources

Please visit the vSphere security resources at https://core.vmware.com/security.

Change Log

2020-11-17

Migrated from original vSphere Central content.

About the Authors

This Frequently Asked Questions list is maintained by Bob Plankers, Senior Technical Marketing Architect, VMware.

Feedback

The purpose of this document is to answer questions that may fall outside the scope of product documentation and system design guidance. Your feedback is valuable. To comment on this document please contact Bob Plankers at rplankers@vmware.com. Thank you.

Filter Tags

Security vSphere vSphere 6.5 vSphere 6.7 vSphere 7 Document Intermediate