"Host requires encryption mode enabled. Manually recover the missing key" alert on ESXi host
search cancel

"Host requires encryption mode enabled. Manually recover the missing key" alert on ESXi host

book

Article ID: 318827

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

  • An ESXi host may display the alert:

  Host requires encryption mode enabled. Manually recover the missing key.


  • This can occur in the following situations:

    • After rebooting a host with Host Encryption enabled or when enabling Host Encryption Mode.

    • Following an ESXi host upgrade.

  • The KMS connection is healthy, and other hosts in the environment continue to use encryption without issues.

Environment

  • VMware vSphere ESXi 7.x

  • VMware vSphere ESXi 8.x

  • VMware vCenter Server 7.x

  • VMware vCenter Server 8.x

Cause

This issue occurs due to a mismatch in encryption key information between the ESXi host and vCenter Server.

  • vCenter’s database still indicates that the host’s encryption key (Host_Key) is present.

  • After a reboot, the ESXi host no longer has access to this key.

  • Because of this stale database entry, the host cannot request a new key from the KMS through vCenter.

Resolution

Important: The following procedure involves manual updates to the vCenter Server database.
Any mistakes may cause catastrophic failure of vCenter or result in irrecoverable loss of encrypted VMs.
Proceed with caution and always follow the snapshot best practices before making changes.

1. Preparation

2. Place Host in Maintenance Mode

  • In vSphere Client, place the affected ESXi host into Maintenance Mode.

3. Verify Host Key Status on ESXi

  1. SSH into the affected ESXi host as root.

  2. Run:
       crypto-util keys getkidbyname "HostKey"

  3. Confirm the output shows:
       crypto-util keys: A key for 'HostKey' has not been established

4. Connect to vCenter Server

  1. SSH into the vCenter Server Appliance (VCSA) as root.

  2. Stop the vpxd service:
       service-control --stop vmware-vpxd

5. Access the vCenter Database

Refer to Interacting with the vCenter Server Appliance 7.0/8.0 embedded vPostgres Database.

  1. Launch the Postgres shell:
       psql -U postgres -d VCDB -h localhost

  2. Identify the host entry:
       select id, dns_name, crypto_state, crypto_key_id, crypto_key_provider_id, crypto_enable from vpx_host where dns_name like '%<esxi-host-fqdn>%';

Example Output:

VCDB=# select id, dns_name, crypto_state, crypto_key_id, crypto_key_provider_id, crypto_enable from vpx_host where dns_name like '%esxi.host.fqdn%';
   id    |          dns_name          | crypto_state |                                                                crypto_key_id                                                                 |crypto_key_provider_id | crypto_enable
---------+----------------------------+--------------+----------------------------------------------------------------------------------------------------------------------------------------------+------------------------+---------------
 12345 | esxi.host.fqdn |            0 | abc********************123************** |key-provider               |             1
(1 row)

6. Clear Stale Encryption Information

Run the update command using the host ID from the previous step:
   update vpx_host set crypto_state=0, crypto_enable=0, crypto_key_id='', crypto_key_provider_id='' where id=<host_id>;

Verify Changes:
   select id, dns_name, crypto_state, crypto_key_id, crypto_key_provider_id, crypto_enable from vpx_host where dns_name like '%<esxi-host-fqdn>%';

Example Output:

VCDB=# select id, dns_name, crypto_state, crypto_key_id, crypto_key_provider_id, crypto_enable from vpx_host where dns_name like '%esxi.host.fqdn%';
   id   |          dns_name          | crypto_state | crypto_key_id | crypto_key_provider_id | crypto_enable
--------+----------------------------+--------------+---------------+------------------------+---------------
 12345 | esxi.host.fqdn |            0 |               |                        |             0
(1 row)

Exit the Postgres shell:
   \q

7. Restart vpxd Service

   service-control --start vmware-vpxd

8. Validate in vSphere UI

  • Log in to the vSphere Client.

  • Confirm that the encryption alert is cleared on the affected host.

  • If Host Encryption is not yet enabled, it can now be enabled manually.

Additional Information

  • Editing the vCenter database is a sensitive operation and should only be performed by experienced administrators.

  • Always take offline snapshots of all vCenter Servers in ELM before making changes.

  • Incorrect database modifications can result in loss of connectivity, corruption, or loss of encrypted VM data.

Powered by Wolken Software