Creating VCDA replications is pretty straightforward. For encrypted replications I encountered a few hiccups so felt I should document it. VMware do have an article that outline the prerequisites . The main issue I encountered was getting the hbr-agent.vib installed on the ESXi hosts along with a repeating error message on vCenter of:

"Invalid configuration for device '1'. Cannot add disk. The disk is unencrypted but a storage policy containing encryption was specifies. Encrypting a disk during add is not supported."

In relation to the error message VMware now have KB 90780 describing the issue and I can confirm version 4.5.0.1 resolved the issue for me.

Back to the vib installation. When I tried to use VUM to install the agent it was showing as complaint.

I created at encrypted replication which created fine but the replication was stuck at 0% Synchronizing and not progressing. From working with VMware support they confirmed TCP port 32032 outbound is needed to replicate encrypted replications and this was not allowed on the ESXi hosts. The firewall rule is added when hbr-agent is installed. I decided to try and install the agent directly from the host using the following command:

esxcli software vib install -v "https://Replicator_Appliance_Address/hbr-agent.vib"

After a minute the agent was installed and the encrypted replication progressed immediately. As shown from the screenshot no reboot is required. I did not put the hosts into maintenance mode to install the vib. It did not cause any issues. I wonder is it actually just adding an outgoing firewall rule.