Here is a “VMware HCX Secure Hybridity” diagram from a few years ago. (I’ve updated some icons for this blog post, but generally its the unchanged). This diagram highlights how HCX is able to align with “encryption everywhere” strategies:

The core take away is this:
It is possible to achieve “encryption everywhere” & secure workload mobility by leveraging VMware VSAN based Data-at-rest encryption, vMotion Encryption for intra-cluster mobility and HCX for In-flight Encryption (with all migration types).
In this post, I want to clarify the level of HCX encryption interoperability (leave no doubts about what works and what doesn’t). As bonus material 🤷🏻♂️ I’m adding VISIO & Omnigraffle editable files for the diagram above at the bottom of the post.
Encrypted vMotion (vSphere 6.5+)
What is it?
Encrypted vMotion (when enabled for a VM) applies during a VM migration within a cluster at the source or destination environment. vCenter Server creates a one-time 256bit crypto key, supplies it to the hosts, the hosts AES-GCM (FIPS) encryption is used to secure the vMotion stream.
Does it work with HCX?
Yes! HCX is interoperable with Encrypted vMotion as there is no need to integrate with an external KMS. The mode of operation is explained in the HCX User Guide:
“HCX vMotion defaults to Opportunistic mode for per-VM vMotion Encryption (if it is set to Required). During the migration operation – the mode is changed to Opportunistic during the migration initialization, and then set back to Required after the migration is completed.”
Refresher on what the states are:

The temporary adjustment applies to any HCX Mobility Agent operations (HCX vMotion and Replication-Assisted vMotion).
vSAN Encryption (vSAN 6.6+)
What Is It?
vSAN can perform data at rest encryption. Data is encrypted after all other processing, such as deduplication, is performed. Data at rest encryption protects data on storage devices, in case a device is removed from the cluster. Using encryption on your vSAN datastore requires some preparation.
Does it work with HCX?
Yes! vSAN Encryption is friendly to cluster functions ; HCX vSphere Replication and vMotion based operations are fully interoperable.
Virtual Machine Encryption (vSphere 6.5+)
With vSphere Virtual Machine Encryption, you can create encrypted virtual machines and encrypt existing virtual machines. Because all virtual machine files with sensitive information are encrypted, the virtual machine is protected. Only administrators with encryption privileges can perform encryption and decryption tasks.
What is it?
Does it work with HCX?
vSphere VM Encryption is not currently supported with VMware HCX migrations, but it is being explored for a future release.
Related Information
Decrypt an Encrypted Virtual Machine or Virtual Disk
Enable or Disable vSphere vMotion
Enable Data-at-Rest Encryption on a New vSAN Cluster
—
Hope this was useful to you. Blessings and success in everything you do!🥂
“Good Gabe”