Previously we reviewed some important characteristics and tradeoffs for various encryption at rest solutions for VMware on IBM Cloud. Below are some more detailed decision matrices for encryption both in motion and at rest.

Encryption in motion

SubjectEncryption layerEncryption methodNotes
Application trafficNetwork or lowerNoneThere are no established mesh encryption technologies for VXLAN or Geneve.
TransportTLSThis is normally enabled in application specific configuration. Special care must be taken for many requirements, e.g., to exclude older TLS and SSL versions, exclude vulnerable ciphersuites, enforce the use of appropriate certificates, and use FIPS 140-2 if required.
vSANApplicationNoneUpdate January 2021: Beginning with vSphere 7.0u1, you can enable data–in–transit encryption for host–to–host vSAN traffic.
vMotionApplicationProprietaryThis is enabled in a VM’s options, and can be set to disabled, opportunistic (default), or required.
Site to siteNetworkVMware HCX (IPsec)HCX uses a proprietary and highly efficient layer 2 transport to convey traffic from site to site through one or more IPsec tunnels using NIST Suite B AES-GCM encryption. Site to site vMotion is also supported with WAN optimization of the vMotion traffic.
IPsecIPsec connections between sites can use a variety of solutions, including NSX ESG, FortiGate virtual or physical appliance, or vSRX appliance. Occasionally L2VPN may be used in combination with IPsec. Occasionally this may be combined with GRE encapsulation to alleviate addressing and routing problems.

Encryption at rest

Note that in the table below:

Encryption method
Key manager
Key management
KMS administration
Encryption scope
Encrypted in flight to datastore?
Compatible with
vSAN dedup/compress
Cross-vCenter vMotion
vSphere replication
VMware HCX
HyTrust Cloud Control policies
IBM Cloud Object StorageIBM managed keys (native)n/aIBMIBMAll objectsTLSn/an/an/an/an/an/an/a
IBM Key Protect (KP) or Hyper Protect Crypto Services (HPCS)IBM KP or HPCSCustomerIBMBucketTLSn/an/an/an/an/an/an/a
IBM Cloud storage (Endurance, Performance) × (file, block)IBM managed keys (native)n/aIBMIBMEntire volumeNon/aYesYesYesYesYesNo
vSphere encryptionIBM KP or HPCSCustomerIBMVM diskYesn/aNoYesNoNoYesNo
IBM SKLMCustomerCustomerVM disk


HyTrust Key ControlCustomerCustomerVM diskYesn/aNoYesNoNoYesNo
HyTrust Data ControlHyTrust Key Control with optional HPCSCustomerCustomerVM diskYesn/aYesYesYesYesYesYes
IBM Guardium Data EncryptionGuardiumCustomerCustomerVM diskYesn/aYesYesYesYesYesNo
vSAN storagevSAN encryptionIBM KP or HPCSCustomerIBMvSAN drivesNoYesYesYesYesYesYesNo
IBM SKLMCustomerCustomervSAN drivesNoYesYesYesYesYesYesNo
HyTrust Key ControlCustomerCustomervSAN drivesNoYesYesYesYesYesYesNo
vSphere encryptionIBM KP or HPCSCustomerIBMVM diskYesNoNoYesNoNoYesNo
IBM SKLMCustomerCustomerVM diskYesNoNoYesNoNoYesNo
HyTrust Key ControlCustomerCustomerVM diskYesNoNoYesNoNoYesNo
HyTrust Data ControlHyTrust Key Control with optional HPCSCustomerCustomerVM diskYesNoYesYesYesYesYesYes
IBM Guardium Data EncryptionGuardiumCustomerCustomerVM diskYesNoYesYesYesYesYesNo

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s