Enabling transport encryption for VMware data

You can enable transport encryption on VMware to protect VMware data.

IBM Storage Protect Plus 10.1.13 introduces Transport encryption to protect VMware data. You can protect the data transport between the vSnap and a remote VADP by enabling Transport encryption. If the VADP is running on the vSnap, that path is always protected because it is a local file system access.

The VADP on the Open Snap Store Manager (OSSM) does not have Transport encryption. OSSM does not support remote VADP.

Review the following considerations and options:

VM Backup: When you backup VMware data, the VADP reads the data from the data store and sends it to vSnap. IBM Storage Protect Plus transport encryption does not apply to the data store connection. To use encrypted network-based transport for the path between the data store and the VADP proxy, the user must use the Transport Mode. The transport mode is defined in the System Configuration > VADP > Proxy Options > Transport Modes. The VMware transport modes such as SAN, HotAdd, and NBDSSL are considered secure. NBD transport mode does not support transport encryption.
Note: Ensure that the network between the data store (TODO or ESX) and VADP is secure.
VMware streaming restore: The same recommendations apply as for backups. The Streaming restore is the default configuration for VMware production and clone restore operations.
VMware non-streaming restore: Non-streaming restore operations use NFS datastore mounts for instant disk access, VM file restore, and test restore. NFS can only be secure in a separate, non-routable network. Either physically or through VLAN tagging.