Failed to enable "Host Encryption Mode" in vCenter.
search cancel

Failed to enable "Host Encryption Mode" in vCenter.

book

Article ID: 314228

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

When the customer attempts to enable "Host Encryption Mode" on a specific ESXi host, an error is reported stating, "Need to configure native key provider."

Environment

vCenter:

7.0.x

7.0.3

===================

ESXi:

6.7

7.0.x

8.0.x

Cause

This issue can occur if the "vpxuser" lacks sufficient entitlements because the client profile was not updated successfully.

Resolution

Workaround:

The issue can be resolved by temporarily disconnecting and reconnecting the problematic ESXi host.

Additional Information

Impact/Risks:

The customer is unable to enable "Host Encryption Mode."

 

=============================================================

 

  1. You should start by checking for similar log patterns in the vpxd.log file.
    2023-07-25T05:30:59.755Z error vpxd[04098] [Originator@6876 sub=CryptoManager opID=HB-host-######-########-###-########] Failed to call vAPI to create native key provider with provider ID #### on host [vim.HostSystem:host-128,####]:
    --> {
    -->     "ERROR": {
    -->         "com.vmware.vapi.std.errors.unauthorized": {
    -->             "data": {
    -->                 "OPTIONAL": null
    -->             },
    -->             "error_type": {
    -->                 "OPTIONAL": "UNAUTHORIZED"
    -->             },
    -->             "messages": []
    -->         }
    -->     }
    --> }
    2023-07-25T05:30:59.755Z error vpxd[04098] [Originator@#### sub=CryptoManager opID=HB-host-########-########-###-########] Failed to invoke "Providers.Create" on host ####.
    --> Error:
    -->    com.vmware.vapi.std.errors.unauthorized
    --> No messages!
    -->
    2023-07-25T05:30:59.755Z error vpxd[04098] [Originator@#### sub=CryptoManager opID=HB-host-######-########-###-#######] Failed to create native key provider on host [vim.HostSystem:host-128,####] : N4Vpxd7Langley21UnauthorizedExceptionE(Error:
    -->    com.vmware.vapi.std.errors.unauthorized
    --> No messages!
    --> )
    --> [context]###################################################################################################################################################################################+##############=[/context]
    2023-07-25T06:21:09.362Z error vpxd[16783] [Originator@6876 sub=CryptoManager opID=HB-host-######-#######-###-########] Failed to enable encryption on [vim.HostSystem:host-128,####]: N5Vmomi5Fault12NotSupported9ExceptionE(Fault cause: vmodl.fault.NotSupported
    2023-07-25T06:21:09.364Z error vpxd[16783] [Originator@6876 sub=CryptoManager opID=HB-host-######-#######-###-########] Failed to recover [vim.HostSystem:host-128,####] crypto state from "incapable" to "safe" in [vim.ClusterComputeResource:domain-####,###-##].
    2023-07-25T06:26:11.337Z error vpxd[00834] [Originator@6876 sub=CryptoManager opID=HB-host-######-#######-###-########] Failure enabling host encryption: N3Vim5Fault12NoPermission9ExceptionE(Fault cause: vim.fault.NoPermission
  2. From the support bundle, ensure that the vpxuser account has the SECURITY entitlement.
# cd etc/vmware/configstore

# /build/apps/contrib/bin/configstorereader.py config current get -c esx -g authentication -k client_profiles
<snippet>
{ "cs_generated_id": "## ## ## ## ## ##-## ## ## ## ## ## ## ##", "subject": { "type": "LOCAL_USER", "name": "vpxuser" }, "grants": [ { "cs_generated_id": "## ## ## ## ## ##-## ## ## ## ## ## ## ##", "resource_type": "ENTITLEMENT", "entitlement": "IDENTITY_MGMT" }, { "cs_generated_id": "## ## ## ## ## ##-## ## ## ## ## ## ## ##", "resource_type": "ENTITLEMENT", "entitlement": "READ_ONLY" }, { "cs_generated_id": "## ## ## ## ## ##-## ## ## ## ## ## ## ##", "resource_type": "ENTITLEMENT", "entitlement": "SECURITY" ### <-- !! } ] }, <snippet>