After upgrading or rebooting an ESXi host, enabling ESXi Host Encryption Mode with a Native Key Provider fails.
By default, when upgrading an ESXi host, the NKP or the associated keys are not deleted.
Generally when this issue arises, the original Native Key Provider which generated the host key has been deleted by user. Should the user attempt to recreate a new Native Key Provider with the same name, the KDK and KeyID will not be same as the original so the host key cannot be resolved after an ESXi host has been upgraded or rebooted.
To resolve this issue, restore the Native Key Provider using its backup file. Refer to the following for more information - Restore a vSphere Native Key Provider Using the vSphere Client.
Note: Refrain from reusing key provider names unless the key provider is the exact same logical key provider.
Warning: Do not reboot the ESXi host at any point in time when applying this workaround as it may render the host and encrypted VMs unusable.
If unable to restore the original Native Key Provider, re-key the host key by invoke API hostSystem.configureCryptoKey
from the vCenter MOB with a new default key provider.
<!-- optional -->
<keyId>
<keyId></keyId>
<!-- optional -->
<providerId>
<id></id>
</providerId>
</keyId>
<!-- optional -->
<keyId>
<keyId></keyId>
<!-- optional -->
<providerId>
<id>NewNameofNativeKeyProvider</id>
</providerId>
</keyId>
After re-keying the ESXi host and re-encrypting all virtual machines with the new Native Key Provider, a reboot of the host may be allowed.