Data Center Virtualization Certification：VCP6.5-DCV Exam Guide

上QQ阅读APP看书，第一时间看更新

Configure VM encrypted vMotion

Protecting stored data is only one element of security; you also need to encrypt the network connections. For the infrastructure part, all of the communication between vCenter and the hosts is usually encrypted. However, some other infrastructural network traffic usually is not protected; for example, iSCSI or NFS traffic (and also vMotion, until vSphere 6.5).

As described in Objective 1.2, there is now a new feature to encrypt vMotion traffic.

Encryption of vMotion traffic is per-VM; when the VM is migrated, a one-time 256-bit key is randomly generated by vCenter Server (note that it does not use the KMS).

Settings are per-VM, but only for VMs with virtual hardware 13. You can view or change the settings by right-clicking on the VM and selecting Edit Settings..., then selecting the VM Options tab in the Encrypted vMotion section:

Figure 1.32: Encrypted vMotion settings

The different options are as follows:

Disabled: Do not use encrypted vMotion for this VM.
Opportunistic (default): Use encrypted vSphere vMotion only if the source and destination hosts can support it (ESXi versions 6.5 and later).
Required: Force the use of encrypted vMotion. If the source or destination host does not support encrypted vMotion, then the migration will not be possible.

You can disable vMotion encryption, unless the VM is encrypted; in that case, it is always enforced.

In vSphere 6.5, migration across vCenter Server systems is not supported for encrypted VMs.

For storage vMotion or vMotion without shared storage, the disks are transmitted as they are, as follows:

For encrypted disks, the data is transmitted encrypted.
For disks that are not encrypted, Storage vMotion encryption is not supported.

For more information, see the vSphere 6.5 Security Guide (https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.vsphere.security.doc/GUID-E6C5CE29-CD1D-4555-859C-A0492E7CB45D.html).