"TPM Encryption Recovery Key Backup" warning alarm in vCenter Server
search cancel

"TPM Encryption Recovery Key Backup" warning alarm in vCenter Server

book

Article ID: 323401

calendar_today

Updated On: 03-28-2025

Products

VMware vSphere ESXi

Issue/Introduction

  • Starting with vSphere 7.0 U2, all ESXi hosts that have a TPM 2.0 enabled device will start using TPM to encrypt the host configuration.
  • It’s possible that the host may not be able to complete booting due to host configuration encryption-related problems, see Boot time failures due to ESX configuration encryption. In such cases, the host’s configuration may be restored by going through the configuration recovery process.
  • Error in /var/log/hostd.log in ESXi host 
    In(166) Hostd[2099022]: [Originator@6876 sub=AdapterServer opID=HB-host-####@97-6672bc06-WorkQueue-183ee450-070c sid=#####af6 user=vpxuser] AdapterServer caught exception; <<#####af6-aa21-f205-####-####bc8dc574, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 53007'>>, ha-internal-tpm20-manager, vim.host.InternalTpm20Manager.quote, <vim.version.v8_0_3_0, internal, 8.0.3.0>,
[N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x00000096642014f8]>, N3Vim5Fault22TpmTrustNotEstablished9ExceptionE(Fault cause: vim.fault.TpmTrustNotEstablished
    In(166) Hostd[2099022]: [Originator@6876 sub=Solo.Vmomi opID=HB-host-####@97-6672bc06-WorkQueue-183ee450-070c sid=#####af6 user=vpxuser] Throw vim.fault.TpmTrustNotEstablished
In(166) Hostd[2099022]: [Originator@6876 sub=Solo.Vmomi opID=HB-host-####@97-6672bc06-WorkQueue-183ee450-070c sid=#####af6 user=vpxuser] Result:
In(166) Hostd[2098999]: --> (vim.fault.TpmTrustNotEstablished) {
In(166) Hostd[2098999]: -->    msg = "",
In(166) Hostd[2098999]: --> }
  • Adding an ESXi host to vCenter Server triggers the “TPM Encryption Recovery Key Backup” warning alarm if:
    • TPM 2.0 is enabled
    • The environment is Sphere 7.0U2 (or later)



Environment

VMware vSphere 7.0.x
VMware vSphere 8.0.x

Resolution

To resolve this issue:

             1. Confirm if the host is using TPM 2.0 for encrypting host configuration  

      1. Run esxcli system settings encryption get on the host
      2. If the mode is NONE, then this could be a false positive, go to step 3 
      3. If the mode is TPM, then proceed to Step 2 

             2.  Note down the recovery key when mode is TPM 

      1. Run esxcli system settings encryption recovery list on the host.  
      2. Save the output in a secure, remote location as a backup, in case it must recover the secure configuration

             3. After completing the above steps, reset the alarm: 

      1. In vCenter web client, select the host. 
      2. Reset the alarm, see Reset Triggered Event Alarms . The alarm can also be reset from the host summary page. 
      3. In Monitor tab, select Issues and Alarms 
      4. Right-click on the alarm and select Reset to Green

 

Powered by Wolken Software