Configuring Encrypted vMotion With PowerCLI

Posted by Stephan McTighe on 9 Jul 2020

Encrypted vMotion is a feature available in vSphere 6.5 onwards. It is something that is always used to secure vMotions of encrypted virtual machines, its a required option, but is optional for non encrypted virtual machines.

By default, non encrypted virtual machines will be set to ‘opportunistic’. If both the source and destination hosts support it (so ESXi 6.5 onwards), vMotions will be encrypted. If the source or destination does not support it, then the vMotion traffic will not be encrypted.

The ‘required’ option is exactly what it says, encrypted vMotion is required. If either the source or destination host does not support it, the vMotion will fail. As I’ve said, encrypted virtual machines have no choice, they have to use encrypted vMotion.

The final option is to set it to ‘disabled’, for when you don’t want it to even attempt encrypting vMotion traffic for a virtual machine.

To set this option on either a singular virtual machine or all virtual machines, you can use the options below. Firstly to view the current settings you can run this. If you want to target a single VM enter the VM name after Get-VM.

1Get-VM | Select-Object Name, @{Name="vMotionEncrpytion";Expression={$_.extensiondata.config.MigrateEncryption}}
1Name vMotionEncrpytion
2---- -----------------
3CentOS opportunistic
4vRepDR opportunistic
5vcsa01 opportunistic
6pho01 opportunistic

Now to change these all to ‘required’ you can run the following:

1$VMView = Get-VM | Get-View
2                    $Config = New-Object VMware.Vim.VirtualMachineConfigSpec
3                    $Config.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
4                    $Config.MigrateEncryption = "required"
5            $VMView.ReconfigVM($Config)

You can confirm this by re-running the get command:

1Name vMotionEncrpytion
2---- -----------------
3CentOS required
4vRepDR required
5vcsa01 required
6pho01 required

To set them back to opportunistic, use the following:

1$VMView = Get-VM | Get-View
2                    $Config = New-Object VMware.Vim.VirtualMachineConfigSpec
3                    $Config.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
4                    $Config.MigrateEncryption = "opportunistic"
5            $VMView.ReconfigVM($Config)

As you can see, they are then back to the default setting.

1Name vMotionEncrpytion
2---- -----------------
3CentOS opportunistic
4vRepDR opportunistic
5vcsa01 opportunistic
6pho01 opportunistic

And finally, setting it to ‘disabled’:

1$VMView = Get-VM | Get-View
2                    $Config = New-Object VMware.Vim.VirtualMachineConfigSpec
3                    $Config.MigrateEncryption = New-Object VMware.Vim.VirtualMachineConfigSpecEncryptedVMotionModes
4                    $Config.MigrateEncryption = "disabled"
5            $VMView.ReconfigVM($Config)
1Name vMotionEncrpytion
2---- -----------------
3CentOS disabled
4vRepDR disabled
5vcsa01 disabled
6pho01 disabled

Here is a link to the official documentation on Encrypted vMotion for further information - here.

Thanks for reading!