"TPM Encryption Recovery Key Backup" warning alarm in vCenter Server
search cancel

"TPM Encryption Recovery Key Backup" warning alarm in vCenter Server

book

Article ID: 323401

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Starting with vSphere 7.0 U2, all ESXi hosts that have a TPM 2.0 enabled device will start using TPM to encrypt the host configuration.

It’s possible that the host may not be able to complete booting due to host configuration encryption related problems, see Boot time failures due to ESX configuration encryption. In such cases, the host’s configuration may be restored by going through the configuration recovery process.

Symptoms:
Adding an ESXi host to vCenter Server triggers the “TPM Encryption Recovery Key Backup” warning alarm if:
  • TPM 2.0 is enabled
  • The environment is Sphere 7.0U2 (or later)


Environment

VMware vSphere 7.0.x

Resolution

To resolve this issue:
  1. Confirm if your host is using TPM 2.0 for encrypting host configuration  
    1. Run esxcli system settings encryption get on the host
    2. If the mode is NONE, then this could be a false positive, go to step 3 
    3. If the mode is TPM, then proceed to Step 2 
 
  1. Note down the recovery key when mode is TPM 
    1. Run esxcli system settings encryption recovery list on the host.  
    2. Save the output in a secure, remote location as a backup, in case you must recover the secure configuration
  1. After completing the above steps, reset the alarm: 
    1. In vCenter web client, select the host. 
    2. Reset the alarm, see Reset Triggered Event Alarms . The alarm can also be reset from the host summary page. 
    3. In Monitor tab, select Issues and Alarms 
    4. Right-click on the alarm and select Reset to Green