StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

Encryption of VMware vSphere 6.5 virtual machines and vMotion migrations. And their performance

  • January 26, 2017
  • 9 min read
Virtualization Architect. Alex is a certified VMware vExpert and the Founder of VMC, a company focused on virtualization, and the CEO of Nova Games, a mobile game publisher.
Virtualization Architect. Alex is a certified VMware vExpert and the Founder of VMC, a company focused on virtualization, and the CEO of Nova Games, a mobile game publisher.

As many admins of virtual infrastructures know, for the first time ever, VMware vSphere 6.5 received the long awaited encryption feature of both virtual disks content and vMotion hot migrations.

The VMs encryption works based on AES-NI algorithm, and the key management is carried out based on KMIP 1.1 standard. When I/O operation comes to the disk of the virtual machine, it is immediately encrypted on-the-fly, which provides complete security against data security attack.

Not only virtual disks, but also VMX configuration files, snapshot files and all other file objects related to the virtual machine are encrypted.

VM objects encryption is fulfilled externally. This way the guest OS doesn’t have access to the encryption keys. Encrypted virtual machines are always transferred between the ESXi hosts with vMotion, which is also encrypted.

VM encryption manageability

To start virtual machine encryption, an appropriate storage policy should be assigned to it:

 Edit VM Storage Policies

How VM Encryption in VMware vSphere 6.5 works:

  • User assigns VM Encryption policy at the virtual machine level.
  • For the VM, a random key is generated and encrypted with a key from the key manager (KMS key).
  • When VM is switched on, vCenter server receives the key from the Key Manager and sends it to VM encryption Module on ESXi server, which unlocks the key in the hypervisor.
  • Next, all I/O operations are carried out through encryption module, encrypting all input and output SCSI-commands transparently for guest OS.

All those things are compatible with third-party key management systems (and requires one of them) built on standard KMIP of version 1.1 or higher:

VM Encryption How it works

Virtual Machines encryption options

To decrypt virtual machine and then store it in regular format, just set default storage policy (Datastore default).

Also, there is special PowerCLI cmdlets, which can encrypt or decrypt VM and detect which of them are encrypted at the moment. For example, this way you can encrypt VM with default encryption policy in the last PowerCLI update:

vCenter works just as a client in the encryption system. For key handling, Key Management Server (KMS) is used.

who manages vm encryption

In privileges control mechanism, there is now new No Cryptography Administrator role. If it is assigned, the following privileges will be denied to standard administrator:

  • Manage key servers
  • Manage keys
  • Manage encryption policies
  • Console access to encrypted VMs
  • Upload/download encrypted VMs

new role no cryptography administrator

Any external systems working after KMIP standard can be used as KMS:

Key Managers

When using VM encryption, the following things should be considered:

  • Yes, you will definitely need key management system (external Key Management Server).
  • Backup options are supported through Ethernet only (no SAN-to-SAN backup).
  • If you make backup copy for regular backup method, it will be unencrypted, if you recover it – everything will comply with target storage policy (that is, VM can appear to be unencrypted after the recovery).
  • The vCenter server can’t be encrypted itself – otherwise, it couldn’t be switched on at all.
  • Also, the following options are not supported:
    • Suspend/resume
    • VM encryption with snapshots and creation of snapshots for encrypted VMs
    • Serial/Parallel port
    • Content library
    • vSphere Replication

For vMotion, encryption works on the VM-level, and for synchronization data transfer 256-bit encryption keys are used. Encryption of the vMotion traffic works on VMkernel level with widely used algorithm AES-GCM (Advanced Encryption Standard / Galois Counter Mode).

VM options

There are 3 policies for encrypted vMotion:

  • Disabled – switched off.
  • Opportunistic – encryption only in case it is supported by source and target host ESXi, otherwise vMotion will be unencrypted.
  • Required – will certainly be used.

Moving machines between the hosts is fulfilled by the exchange of one-time keys, which are generated and served by vCenter server, rather than KMS.

In general, encryption of virtual machines and vMotion migrations is great stuff, but keep in mind you will need external KMS server for that.

Also, recently VMware published another interesting technical paper VMware vSphere encrypted vMotion architecture, performance, and best practices” on different aspects of mechanism of virtual machines encrypted migration between the hosts.

Experiments described in the open document have proven the following:

  • vSphere 6.5 Encrypted vMotion migration works almost with the same speed vMotion does
  • CPU encryption load is low due to the optimizations made in the vMotion code
  • vSphere 6.5 Encrypted vMotion is the same reliable as regular vMotion

For example, let’s see the testing results of vMotion hot migration performance in enterprise infrastructure for virtual machine with Redis database manager.

vMotion performance

Here is Microsoft SQL Server virtual machine migration for a long distance at varying network latency, which depends on datacenters location:

SQL Server VM Migration Duration

There are several more interesting pictures in the document, but there is only one conclusion – encrypted vMotion almost doesn’t affect virtual infrastructure performance.


Found Alex’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!