How to Migrate an oversized Encrypted server on ESXi

Due to encryption you cannot perform migration of the "useful" part of the disk only with tools that looks at the VM from the "outside". This includes vMotion, Veeam B&R, and such.

The only thing that come to my mind is the migration performed with the free VMware converter: this allows you to perform a "P2V" live migration by looking at the VM from the "inside".

Install it on a windows VM that can reach both the VM and the ESXi host, select to migrate a "powered on" linux machine, and supply the root credentials of both the VM and ESXi host. It will login into the machine and perform the migration from the "inside", seeing that the disks are a few GB full, and transferring only these. I suspect that if you select "infrastructure" the converter will try to take advantage of the fact that the VM is already in the infrastructure, and that's bad in your specific case.

Never tried this at home nor in production with an encrypted disk, but I performed a P2V live migration with 1TB disk from a physical host to an ESXi host, and the migration via 1GBe took only around 40m, while the estimated raw time to transfer a full 1TB of data over a GB link is around 3 hours, so it performed something like a file-by-file type copy.


So, this was the best scenario after the P2V failed.

  1. Make a copy VM on the destination with working LVM encryption.
  2. Make a second VM and mount the encrypted LVM to it to /mnt

    Important so that the server itself is not running
    
  3. Copy keys between servers for root users to prevent access issues
  4. Run the following command

    rsync -aHxvK --numeric-ids --progress --exclude=/etc/fstab --exclude=/etc/crypttab --exclude=/etc/initramfs-tools/conf.d/* --exclude=/etc/network/* --exclude=/mnt/* --exclude=/dev/* --exclude=/proc/* --exclude=/sys/* --exclude=/tmp/* --exclude=/boot/* --exclude=/root/*   [email protected]:/* /mnt/
    

This will copy most of the non-changing files and give you a functioning "copy" of the server. Most of this rsync is shown in a few guides online but I found that /etc/crypttab is needed for encrypted volumes or it doesn't boot and initramfs is needed or you console spam on boot

Once this is done You schedule a short downtime and shut down major services like database and web servers and do a final transfer of those directories before bringing up and transferring endpoints to the new server.