vMotion failing with error "An encryption key is required"
search cancel

vMotion failing with error "An encryption key is required"

book

Article ID: 312389

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

This article provides information to unlock encrypted virtual machine.

Symptoms:

  • When performing vMotion task on a powered on virtual machine, you get the below error-

 

An encryption key is required. The required key is located on 'KMS'. A key with identifier 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' is required to unlock this virtual machine. The virtual machine is locked.

 

  • In vpxd.log you will see following similar entries-
DD-MM-YYYY HH:MM info vpxd[20062] [Originator@6876 sub=Default opID=lf2eyxn9-14481775-auto-8me7k-h5:71633895-e2] [VpxLRO] -- ERROR task-3915483
-- vm-1149843 -- vim.VirtualMachine.relocate: vim.fault.EncryptionKeyRequired:
--> Result:
--> (vim.fault.EncryptionKeyRequired) {
-->  faultCause = (vmodl.MethodFault) null,
-->  faultMessage = (vmodl.LocalizableMessage) [
-->    (vmodl.LocalizableMessage) {
-->     key = "msg.hostd.vmState.locked",
-->     arg = <unset>,
-->     message = "The virtual machine is locked."
-->    },
-->    (vmodl.LocalizableMessage) {
-->     key = "msg.hostd.vmState.lockedKeyId",
-->     arg = (vmodl.KeyAnyValue) [
-->       (vmodl.KeyAnyValue) {
-->        key = "1",
-->        value = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
-->       }
-->     ],
-->     message = "A key with identifier 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' is required to unlock this virtual machine."
-->    },
-->    (vmodl.LocalizableMessage) {
-->     key = "msg.hostd.vmState.lockedProviderId",
-->     arg = (vmodl.KeyAnyValue) [
-->       (vmodl.KeyAnyValue) {
-->        key = "1",
-->        value = "NameOfKMS"
-->       }
-->     ],
-->     message = "The required key is located on 'NameOfKMS'."
-->    }
-->  ],
-->  requiredKey = (vim.encryption.CryptoKeyId) [
-->    (vim.encryption.CryptoKeyId) {
-->     keyId = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
-->     providerId = (vim.encryption.KeyProviderId) {
-->       id = "NameOfKMS"
-->     }

Here "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx" differs based on customer environment key. NameOfKMS is the name given to KMS server on vCenter. 

  • In the destination host /var/run/log/kmxa.log you will see similar entries-

 

YYYY-MM-DD HH:MM error kmxa[2098421] [Originator@6876 sub=Libs opID=resolveKey-52d9b2fd-cad5-66bd-7cde-185becaff645-23] Trust Authority Components not configured. 
YYYY-MM-DD HH:MM error kmxa[2098421] [Originator@6876 sub=Libs opID=resolveKey-52d9b2fd-cad5-66bd-7cde-185becaff645-23] Failed to decrypt key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/NameOfKMS: Error: 
YYYY-MM-DD HH:MM error kmxa[2098421] [Originator@6876 sub=Libs opID=resolveKey-52d9b2fd-cad5-66bd-7cde-185becaff645-23]  com.vmware.vapi.std.errors.error 
YYYY-MM-DD HH:MM error kmxa[2098421] [Originator@6876 sub=Libs opID=resolveKey-52d9b2fd-cad5-66bd-7cde-185becaff645-23] Messages:  
YYYY-MM-DD HH:MM error kmxa[2098421] [Originator@6876 sub=Libs opID=resolveKey-52d9b2fd-cad5-66bd-7cde-185becaff645-23]  com.vmware.esx.trusted_infrastructure.trust_authority_services.not_configured<Incomplete or missing Trust Authority Components configuration.> 
YYYY-MM-DD HH:MM error kmxa[2098421] [Originator@6876 sub=Libs opID=resolveKey-52d9b2fd-cad5-66bd-7cde-185becaff645-23]
YYYY-MM-DD error kmxa[2098421] [Originator@6876 sub=Libs opID=resolveKey-52d9b2fd-cad5-66bd-7cde-185becaff645-23] Failed to resolve key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/NameOfKMS with Trusted Key Provider.


 

 

Environment

VMware vSphere 7.0.x

Cause

The virtual machine enters a locked state either if the key is not available on the ESXi host or if vCenter cannot retrieve keys from the KMS. 

Possible causes for key not being available on the ESXi host could be if the host was removed and added back to the cluster or if the host is facing connectivity issues with the vCenter in turn causing KMS communication issues.

Resolution

Reboot the vCenter


Refer- https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-75758B55-E406-48B0-91F6-3F573459CB9A.html 

Workaround:

1. Open the vCenter MOB page using the vm object ID.

https://<VC_SERVER>/mob/?moid=<OBJECT_ID>

OBJECT_ID will be VMID in this case 

2. Search for CryptoUnlock_Task and click on the option


3. New page opens and click on  "Invoke Method"

After performing the above steps the vm will be unlocked and you can verify this by going to the VM TASK in vCenter. 

 

Additional Information

Impact/Risks:
None


Note: A snapshot of the vCenter VM without memory is still recommended.

Powered by Wolken Software