"TPM Encryption Recovery Key Backup" warning alarm present in host summary page
search cancel

"TPM Encryption Recovery Key Backup" warning alarm present in host summary page

book

Article ID: 323401

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Starting with vSphere 7.0 U2, ESXi hosts that have a TPM 2.0 enabled device will use TPM to encrypt the host configuration.
    NOTE: For hosts unable to to complete booting due to host configuration encryption-related problems, see ESXi boot failures due to system configuration issues.

  • Adding an ESXi host to vCenter Server triggers the “TPM Encryption Recovery Key Backup” warning alarm if:
    • TPM 2.0 is enabled
    • The environment is Sphere 7.0U2 (or later)

  • Error in /var/log/hostd.log in ESXi host

    In(166) Hostd[2099022]: [Originator@6876 sub=AdapterServer opID=HB-host-####@97-6672bc06-WorkQueue-183ee450-070c sid=#####af6 user=vpxuser] AdapterServer caught exception; <<#####af6-aa21-f205-####-####bc8dc574, <TCP '127.0.0.1 : 8307'>, <TCP '127.0.0.1 : 53007'>>, ha-internal-tpm20-manager, vim.host.InternalTpm20Manager.quote, <vim.version.v8_0_3_0, internal, 8.0.3.0>,
[N11HostdCommon18VmomiAdapterServer19ActivationResponderE:0x00000096642014f8]>, N3Vim5Fault22TpmTrustNotEstablished9ExceptionE(Fault cause: vim.fault.TpmTrustNotEstablished
    In(166) Hostd[2099022]: [Originator@6876 sub=Solo.Vmomi opID=HB-host-####@97-6672bc06-WorkQueue-183ee450-070c sid=#####af6 user=vpxuser] Throw vim.fault.TpmTrustNotEstablished
In(166) Hostd[2099022]: [Originator@6876 sub=Solo.Vmomi opID=HB-host-####@97-6672bc06-WorkQueue-183ee450-070c sid=#####af6 user=vpxuser] Result:
In(166) Hostd[2098999]: --> (vim.fault.TpmTrustNotEstablished) {
In(166) Hostd[2098999]: -->    msg = "",
In(166) Hostd[2098999]: --> }


Environment

7.x
8.X

Resolution

To resolve this issue:

  1. Confirm if the host is using TPM 2.0 for encrypting host configuration  
      1. Run the following:
        esxcli system settings encryption get
      2. If the mode is NONE, then this could be a false positive, go to step 3 
      3. If the mode is TPM, then proceed to Step 2

  2. Note down the recovery key when mode is TPM 
      1. Run the following:
        esxcli system settings encryption recovery list
      2. Save the output in a secure, remote location as a backup, in case it must recover the secure configuration

  3. After completing the above steps, reset the alarm: 
      1. In vCenter web client, select the host. 
      2. Reset the alarm, see Reset Triggered Event Alarms . The alarm can also be reset from the host summary page. 
      3. In Monitor tab, select Issues and Alarms 
      4. Right-click on the alarm and select Reset to Green



Powered by Wolken Software