Enable Encrypted VMotion

One of the most asked for features within vSphere has always been encryption. With 6.5 we are now granted this ability in vmotion, and it is actually rather simple to enable.

According to VMWare, when a virtual machine that will be using encrypted vmotion is moved from one host to another, a random 256-bit key is created by the vcenter, which thankfully doesnt require the need of a KMS. A random 64-Bit one time (nonce) is also generated. This information is sent to the hosts that will be involved in the vmotion action. As a note, the guest VM does not have access to the encryption information.

All vmotion traffic is encrypted, from the TCP payload, to the vmotion metadata using AES-GCM standards. The source host will utilize the key and nonce for encryption and the receiving compute host will use the same in order to decrypt.

Encrypted virtual machines will always utilize encrypted vmotion. For vms that are not encrypted you are given three options as seen below:

  • ┬áDisabled: The vcenter will not attempt to use encrypted vmotion.
  • Opportunistic: Will make best attempt to encrypt, if the target supports it, then encryption will occur, if not then the vm will be vmotioned using standard vmotion.
  • Required: VMotion will only occur if the vm can be vmotioned encrypted


To enable encrypted vmotion do the following:

Right click your intended vm > select edit settings

Screenshot at May 15 19-32-20


Select VM Options > Encryption and then select Required

Screenshot at May 15 19-35-00


VMWare vSphere 6.5 EVM Documentation

Scroll to Top