With the introduction of Secure Agent Communications in 4.11, it is only limited to securing of how host's agent connects to the management server. By default, the libvirtd process listens on tcp and therefore any VM migration from/to such a host is insecure. The same X509 certificates used by the agent provisioned by the CA framework can be used to secure libvirtd process both during the addition of a KVM host and during provisioning/renewal of certificates.