Create a replication for encrypted virtual machines

The storage policy drives the encryption for virtual machines. Enable the encryption in the storage policy then assign it to the virtual machine (VM) configuration files and its disks. The replication follows the encryption status. First encrypt the VMs before adding them in the replication.

Prerequisites for the versions in the source and in the destination sites:: For Cloud Director sites, use
vCenter Server
7.0 U2 and later, and
VMware Cloud Director
10.2 and later.

For
vSphere
DR and migration, use
vCenter Server
7.0 U2 and later, and
VMware Cloud Director Availability
4.5 and later in both the source and the destination site.

With
vCenter Server
7.0 U2 and later, you can use an external KMS or
vSphere
® Native Key Provider™. Verify that the backing
vCenter Server
instances in the destination have a KMS with the same name and with access to the same key used to encrypt the source VM.
VMware Cloud Director Availability
then ensures the necessarily encryption keys are pushed to the hosts responsible for the replications.
The prerequisite for the same encryption keys comes from the underlying replication technology and applies for all supported topologies, both Cloud Director sites and for vSphere DR and migration.

Prerequisites for the ESXi hosts in both the source and in the destination sites:: Install the HBR agent VIB in all the
ESXi
hosts. To download the HBR agent VIB file directly from the appliance:
Depending on the appliance type and deployment, from the following URL on the appliance download the:
https://vCenter_Replication_Management_Appliance_Address:8043/hbr-agent.vib
file.
https://Replicator_Appliance_Address/hbr-agent.vib
file.
Alternatively, from the appliance filesystem, download the
/opt/vmware/hbr/vib/vmware-hbr-agent-build_number.i386.vib
file.
After installing the HBR agent, it encrypts the traffic originating from the source
ESXi
host, providing end-to-end encryption. Installing the HBR agent in the destination
ESXi
host allows reversing the replications and the reverse replications traffic is also encrypted end-to-end.
For more information about VIBs and how to install them, see
VIBs, Image Profiles, and Software Depots
in the
VMware ESXi Upgrade Guide
.
Prerequisites for the vCenter Server instances in both the source and in the destination sites:: Configure a key provider in
vSphere
. For more information, see
Virtual Machine Encryption
in the
vSphere Security Guide
:
For
vSphere
7.0 U2 and later, configure a VMware
vSphere
Native Key Provider which does not require an external key server. For more information, see
Configuring and Managing vSphere Native Key Provider
in the
vSphere Security Guide
.
Alternatively, for
vSphere
7.x, configure an external key server, previously known as Key Management Server cluster and ensure that the cluster names match. For information about configuring a standard key provider, see
Set up the Key Management Server Cluster
in the
vSphere Security Guide
.
Use the same key provider for both the source and the destination
vCenter Server
instances. For more information, see
vSphere Native Key Provider Overview
in the
vSphere Security Guide
.
To ensure that both sites use the same vSphere key provider, for example, backup the key provider from site A then restore it and set it as default in site B.

In
vSphere
, the encrypted VMs require an encryption storage policy. For more information, see
Create an Encryption Storage Policy
and
Create an Encrypted Virtual Machine
or
Encrypt an Existing Virtual Machine or Virtual Disk
in the
vSphere Security Guide
.
Prerequisites for cloud sites backed by VMware Cloud Director :: Verify that the same key provider is used in both the source and the destination
vCenter Server
instances. For more information, see
vSphere Native Key Provider Overview
or
Set up the Key Management Server Cluster
in the
vSphere Security Guide
.
Verify that the
Organization Administrator
role has the
vApp: View VM and VM's Disks Encryption Status
right. For more information, see
Rights in Predefined Global Tenant Roles
in the
VMware Cloud Director
Tenant Portal Guide
.
Add the encryption-enabled storage policy to a provider VDC. For more information, see
Add a VM Storage Policy to a Provider Virtual Data Center
in the
VMware Cloud Director
Service Provider Admin Portal Guide
.
Add the encryption-enabled storage policy to an organization VDC. For more information, see
Add a VM Storage Policy to an Organization Virtual Data Center
in the
VMware Cloud Director
Service Provider Admin Portal Guide
.
Create an encrypted VM by applying the encryption-enabled storage policy. Replications for encrypted VMs can only include virtual machines with an encryption-enabled storage policy.
Verify that your session is extended to the site in which the vApps or virtual machines you are about to replicate reside. For more information, see Authenticating to paired remote Cloud Director sites.

With

VMware Cloud Director Availability

4.7.2 and later, you can create the following replications for encrypted objects.

You can replicate a vApp containing both encrypted and non-encrypted VMs.

You can create a replication for an encrypted VM with enabled virtual Trusted Platform Module (vTPM), and with full, partial, or no encryption of the attached storage disks.

You can also create a replication for a non-encrypted VM and encypt the VM as a part of the replication process.

If the replicated VM changes from encrypted to non-encrypted, reestablish the replication by stopping it then starting it.

In the left pane, choose a replication direction.

For a replication between cloud sites backed by

VMware Cloud Director

, choose either an incoming replication from a cloud site, or an outgoing replication to a cloud site.

For

vSphere

DR and migration, encrypted replications support all replication directions and you can choose any replication direction.

To create a replication for encrypted virtual machines, select either new protection or new migration.

Click

All Actions

New Protection

Click

All Actions

New Migration

Complete the

New Replication

wizard.

On the

Source

workload page, select your workloads and click

With

VMware Cloud Director Availability

4.7.2 and later, in a replication for encrypted virtual machines, you can select encrypted and non-encrypted virtual machines.

On the next page, select a storage policy placement for the recovered workloads that shows

Encrypted

in the Encryption capability column, then click

After selecting an encrypted virtual machine, you can only select an encrypted storage policy.

On the

Settings

page, configure the replication settings, then click

With

VMware Cloud Director Availability

4.7.2 and later, in a replication for encrypted virtual machines, you can select both encrypted and non-encrypted disks.

After you replicate a non-encrypted to an encrypted virtual machine, all newly added disks to the destination machine inherit the encrypted storage policy, which encrypts all disks on the VM.

On the

Ready to Complete

page, verify that the replication settings are correct, then click

Finish

The initial synchronization of a replication containing an encrypted virtual machine takes longer to complete than a replication with the same settings that contains a non-encrypted virtual machine with the same hardware.

The new replication that contains only encrypted virtual machines uses encryption for the replication data communication.

Replicating workloads

Content feedback and comments

VMware Cloud Director Availability 4.6

Create a replication for encrypted virtual machines