Techniques are disclosed for securing traffic flowing across multi-tenant virtualized infrastructures using group key-based encryption. In one embodiment, an encryption module of a virtual machine (VM) host intercepts layer 2 (L2) frames sent via a virtual NIC (vNIC). The encryption module determines whether the vNIC is connected to a “secure wire,” and invokes an API exposed by a key management module to encrypt the frames using a group key associated with the secure wire, if any. Encryption may be performed for all frames from the vNIC, or according to a policy. In one embodiment, the encryption module may be located at a layer farthest from the vNIC, and encryption may be transparent to both the VM and a virtual switch. Unauthorized network entities which lack the group key cannot decipher the data of encrypted frames, even if they gain access to such frames.