Failed to enable ESXi Host Encryption Mode after upgrading/rebooting with Native Key Provider.
search cancel

Failed to enable ESXi Host Encryption Mode after upgrading/rebooting with Native Key Provider.

book

Article ID: 311922

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

After upgrading or rebooting an ESXi host, enabling ESXi Host Encryption Mode with a Native Key Provider fails.

Environment

VMware vSphere ESXi 7.x
VMware vSphere ESXi 8.x
VMware vSphere vCenter Server 7.x
VMware vSphere vCenter Server 8.x

Cause

By default, when upgrading an ESXi host, the NKP or the associated keys are not deleted.

Generally when this issue arises, the original Native Key Provider which generated the host key has been deleted by user. Should the user attempt to recreate a new Native Key Provider with the same name, the KDK and KeyID will not be same as the original so the host key cannot be resolved after an ESXi host has been upgraded or rebooted.

Resolution

To resolve this issue, restore the Native Key Provider using its backup file. Refer to the following for more information - Restore a vSphere Native Key Provider Using the vSphere Client.

Note: Refrain from reusing key provider names unless the key provider is the exact same logical key provider.

Workaround

Warning: Do not reboot the ESXi host at any point in time when applying this workaround as it may render the host and encrypted VMs unusable. 

If unable to restore the original Native Key Provider, re-key the host key by invoke API hostSystem.configureCryptoKey from the vCenter MOB with a new default key provider.

  1. Access the vCenter MOB with [email protected]

    https://<vCenterFQDNorIP>/mob/?moid=host-<######>&method=configureCryptoKey

    Note: Replace <vCenterFQDNorIP> and <######> with the appropriate values.

  2. In the window, the default contents under the VALUE section will appear as:

    <!-- optional -->
    <keyId>
       <keyId></keyId>
       <!-- optional -->
       <providerId>
          <id></id>
       </providerId>
    </keyId>

  3. Under <providerID>, enter in the name of the new Native Key Provider name.

    Example:

    <!-- optional -->
    <keyId>
       <keyId></keyId>
       <!-- optional -->
       <providerId>
          <id>NewNameofNativeKeyProvider</id>
       </providerId>
    </keyId>

  4. Click on Invoke Method to re-key the host key.

  5. Re-encrypt any VMs that were previously encrypted with the original Native Key Provider. 

    Note: Any VMs marked as invalid in the vCenter UI are unrecoverable unless the original Native Key Provider can be restored or an unencrypted version of the virtual machine can be restored from back up.

After re-keying the ESXi host and re-encrypting all virtual machines with the new Native Key Provider, a reboot of the host may be allowed.