Create a replication for encrypted virtual
machines
The storage policy drives the encryption for virtual machines. Enable the encryption in the storage policy then assign it to the virtual machine configuration files and its disks. The replication follows the encryption status. First encrypt the virtual machines before adding them in the replication.
- Prerequisites for the versions in the source and in the destination sites:
- ForvSphereDR and migration, usevCenter Server7.0 U2 or later andVMware Cloud Director Availability4.5 or later in both the source and the destination site.
- Alternatively, for cloud sites backed byVMware Cloud Director, usevCenter Server6.7 U3 or later, any supported version ofVMware Cloud Director Availability, andVMware Cloud Director10.1 or later.
- Prerequisites for theESXihosts in both the source and in the destination sites:
- Install the HBR agent VIB in all theESXihosts. To download the HBR agent VIB file directly from the appliance:
- Depending on the appliance type and deployment, from the following URL on the appliance download the:
- https://file.vCenter_Replication_Management_Appliance_Address:8043/hbr-agent.vib
- https://file.Replicator_Appliance_Address/hbr-agent.vib
- Alternatively, from the appliance filesystem, download the/opt/vmware/hbr/vib/vmware-hbr-agent-file.build_number.i386.vib
ESXihost, providing end-to-end encryption. Installing the HBR agent in the destinationESXihost allows reversing the replications and the reverse replications traffic is also encrypted end-to-end.For more information about VIBs and how to install them, see VIBs, Image Profiles, and Software Depots in theVMware ESXi Upgrade Guide. - Prerequisites for thevCenter Serverinstances in both the source and in the destination sites:
- Configure a key provider invSphere. For more information, see Virtual Machine Encryption in thevSphere Security Guide:
- ForvSphere7.0 and later, configure a VMwarevSphere® Native Key Provider™ which does not require an external key server. For more information, see Configuring and Managing vSphere Native Key Provider in thevSphere Security Guide.
- Alternatively, forvSphere6.x or 7.x and cloud sites backed byVMware Cloud Director, configure an external key server, previously known as Key Management Server cluster and ensure that the cluster names match. For information about configuring a standard key provider, see Set up the Key Management Server Cluster in thevSphere Security Guide.
- Use the same key provider for both the source and the destinationvCenter Serverinstances. For more information, see vSphere Native Key Provider Overview in thevSphere Security Guide.To ensure that both sites use the same vSphere key provider, for example, backup the key provider from site A then restore it and set it as default in site B.
- InvSphere, the encrypted virtual machines require an encryption storage policy. For more information, see Create an Encryption Storage Policy and Create an Encrypted Virtual Machine or Encrypt an Existing Virtual Machine or Virtual Disk in thevSphere Security Guide.
- Prerequisites for cloud sites backed byVMware Cloud Director:
- Verify that the same key provider is used in both the source and the destinationvCenter Serverinstances. For more information, see vSphere Native Key Provider Overview or Set up the Key Management Server Cluster in thevSphere Security Guide.
- Verify that theOrganization Administratorrole has thevApp: View VM and VM's Disks Encryption Statusright. For more information, see Rights in Predefined Global Tenant Roles in the.VMware Cloud DirectorTenant Portal Guide
- Add the encryption-enabled storage policy to a provider VDC. For more information, see Add a VM Storage Policy to a Provider Virtual Data Center in the.VMware Cloud DirectorService Provider Admin Portal Guide
- Add the encryption-enabled storage policy to an organization VDC. For more information, see Add a VM Storage Policy to an Organization Virtual Data Center in the.VMware Cloud DirectorService Provider Admin Portal Guide
- Create an encrypted virtual machine by applying the encryption-enabled storage policy. Replications for encrypted virtual machines can only include virtual machines with an encryption-enabled storage policy.
- Verify that your session is extended to the site in which the vApps or virtual machines you are about to replicate reside. For more information, see Authenticating to paired remote cloud sites.
Cannot replicate a
vApp containing both encrypted and non-encrypted virtual machines.
- In the left pane, choose a replication direction.
- For a replication between cloud sites backed byVMware Cloud Director, choose either an incoming replication from a cloud site, or an outgoing replication to a cloud site.
- ForvSphereDR and migration, encrypted replications support all replication directions and you can choose any replication direction.
- To create a replication for encrypted virtual machines, select either new protection or new migration.
- Click .
- Click .
- Complete theNew Replicationwizard.
- In theCloud vApps and VMspage, select only virtual machines that show statusYesin the Encrypted column, and clickNext.In a replication for encrypted virtual machines, select only encrypted virtual machines.
- In theDestination VDC and Storage policypage underStorage policy, select a storage policy that showsEncryptedin the Encryption capability column and clickNext.After selecting an encrypted virtual machine, you can only select an encrypted storage policy.
- In theSettingspage, configure the replication settings and clickNext.
- If in theSettingspage you selectedConfigure Seed VMs, in theSeed VMpage select the seed and clickNext.
- In theReady to Completepage, verify that the replication settings are correct and clickFinish.
The initial synchronization of a replication containing an encrypted virtual machine takes longer to complete than a replication with the same settings that contains a non-encrypted virtual machine with the same hardware.
The new replication that contains only encrypted virtual machines uses encryption for the replication data communication.