Encryption architecture

We claim: 1. A method of encrypting messages on a computer on which a plurality of virtual machines (VMs) execute, the method comprising: at a plurality of ports of a software forwarding element, identifying a data messages transmitted by the plurality of VMs along the datapaths of the VMs to the software forwarding element, the software forwarding element executing on the computer to perform forwarding operations that forward the data messages to their destinations outside of the computer; from each port, forwarding each identified data message to an encryptor, which is assigned from a plurality of encryptors to the port and the port's associated VM from which the data message was transmitted, that (1) determines whether the data message should be encrypted by analyzing a set of header values of the data message, (2) encrypts the data message upon determining that the data message should be encrypted and foregoes encryption of the data message upon determining that the data message should not be encrypted, and (3) returns the data message to its assigned port from which the data message was forwarded to the encryptor, wherein the plurality of encryptors comprises a separate encryptor assigned to each port and its associated VM; and providing each returned data message from the port to which the data message was returned to the software forwarding element to forward the returned data message to the data message's destination outside of the computer. 2. The method of claim 1 , wherein determining that the data message should be encrypted comprises using the set of header values of the data message to identify an encryption rule that specifies that the data message should be encrypted. 3. The method of claim 2 , wherein at least one encryptor comprises a first encryption rule that specifies a first encryption parameter to use to encrypt data messages of a first data message flow that is from the encryptor's assigned VM to a first destination and a second encryption rule that specifies a second encryption parameter to use to encrypt data messages of a second data message flow that is from the encryptor's assigned VM to a second destination, wherein the second encryption parameter is for encrypting data messages differently from the first encryption parameter. 4. The method of claim 2 further comprising after a particular encryptor of a particular port determines that a data message of a particular data message flow should not be encrypted, foregoing forwarding subsequent data messages of the particular data message flow to the particular encryptor. 5. The method of claim 2 , wherein at least one encryptor comprises a first encryption rule that specifies that a first data message flow that is from the encryptor's assigned VM to a first destination should be encrypted and a second encryption rule that specifies that a second data message flow that is from the encryptor's assigned VM to a second destination should not be encrypted. 6. The method of claim 5 , wherein the first destination is in a same secure logical network as the encryptor's assigned VM and the first data message flow comprises a secure communication and the second destination is not in the same secure logical network as the encryptor's assigned VM and the second data message flow does not require secure communication. 7. A host computer for executing a plurality of virtual machines (VMs), the host comprising: an encryption agent for receiving encryption configuration data from a set of controllers; a plurality of ports of a software forwarding element that identify data messages in data message flows sent from the plurality of VMs, the plurality of ports executing along the datapaths of the plurality of VMs to the software forwarding element, the software forwarding element executing on the host to perform forwarding operations that forward the data messages to destinations outside of the computer; and a plurality of encryptors assigned to the plurality of ports and the ports' associated VMs from it receives data messages, each encryptor for (1) receiving identified data messages forwarded from an assigned port, (2) using the received encryption configuration data to determine whether to encrypt each identified data message received based on header values of the data message, (3) encrypting each identified data message received that has to be encrypted per the received encryption configuration data and foregoing encryption of each identified data message received that does not have to be encrypted, and (4) providing to the assigned port the encrypted or unencrypted data messages for the port to provide the data messages to the software forwarding element to forward the data messages to their destinations outside of the host computer. 8. The host of claim 7 , wherein the plurality of encryptors includes one encryptor for each of at least two groups of related VMs that execute on the host, at least one group comprising at least two VMs, wherein each encryptor determines whether each data message flow from a VM in its group of VMs has to be encrypted, and encrypts each data message in a data message flow when the encryptor determines that the data message flow should be encrypted. 9. The host of claim 7 , wherein the plurality of encryptors includes a separate encryptor for each port and its associated VM executing on the host, wherein each port forwards identified data messages to its assigned encryptor (1) to determine whether each data message flow from the encryptor's corresponding VM has to be encrypted, and (2) to encrypt each data message in a data message flow which the encryptor determines should be encrypted. 10. The host of claim 9 , wherein the encryption configuration data comprises identity information of at least one key manager to contact in order to retrieve encryption keys. 11. The host of claim 10 , wherein the encryption configuration data further comprises encryption key identifiers of the encryption keys that need to be retrieved. 12. The host of claim 9 , wherein the encryption configuration data comprises encryption key identifiers of encryption keys that need to be retrieved. 13. The host of claim 7 , wherein the plurality of encryptors includes first and second encryptors respectively for first and second VMs executing on the host, wherein the first encryptor determines that data messages from the first VM have to be encrypted, while the second encryptor determines that data messages from the second VM do not have to be encrypted. 14. The host of claim 13 , wherein the first encryptor determines that the first-VM data messages should be encrypted and the second encryptor determines that the second-VM data messages should not be encrypted by comparing the header values of the first-VM messages and the second-VM messages with corresponding attributes of a set of encryption rules in order to find a matching encryption rule. 15. The host of claim 9 , wherein the encryption configuration data comprises encryption policies that the encryption agent needs to resolve in order to generate encryption rules for the plurality of encryptors to enforce. 16. The host of claim 15 , wherein the generated encryption rules are a first set of encryption rules, wherein the encryption configuration data further comprises a second set of encryption rules for the plurality of encryptors to enforce. 17. The host of claim 9 , wherein the encryption configuration data comprises encryption rules that the plurality of encryptors needs to enforce. 18. The host of claim 7 , wherein the plurality of encryptors are fur