Encrypted vMotion has been asked about for YEARS. It’s here now in vSphere 6.5! And, like VM Encryption, we’ve taken a different approach than you might think. We don’t actually encrypt the vMotion network. What we DO encrypt is the data going over the vMotion network. At the time of migration, a 256-bit key and 64-bit Nonce are created by vCenter. This is a one-time-use key and is not persisted!
- what is the impact of the encryption on vMotion performance, especially at load ? Since its symmetric encryption (OTP Key would suggest that) it should light on CPU but still.
- Joined up thinking between network and vm admins is key here. If the network already encrypts this would be silly to implement so “The best part is you don’t have to ask your network team to do anything!” would be doubling down on stupid.
- Network encryption should lower latency (hardware acceleration) and perform better (remember, don’t ask your network team anything)
- Security is a top down thing. If you are bothering to encrypt at all, everything should be encrypted not just the vMotion. Thats kind of pointless if all other data is in the clear.
No doubt someone will implement it pointlessly. Remember, “The best part is you don’t have to ask your network team to do anything!”
vSphere 6.5 Security Product Walkthroughs – VMware vSphere Blog : https://blogs.vmware.com/vsphere/2017/01/vsphere-6-5-security-product-walkthroughs.html