Unable to power on an encrypted virtual machine
Article ID: 328352
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
The purpose of this article is to provide you a workaround to power on the locked encrypted virtual machine.
Symptoms:
- Unable to power on an encrypted virtual machine.
- After a host reboot, virtual machine is locked by the crypto utility.
- Encrypted virtual machine becomes Invalid .
Environment
VMware vSphere ESXi 7.x
VMware vSphere ESXi 8.x
Cause
This issue occurs after a host reboot:
- If the KMS server is offline.
- If the KMS server is reset.
Resolution
To work around this issue:
- Find the host key which was used to encrypt the virtual machine by running this command:
crypto-util disk describe <path_to_VMDK>
For example : crypto-util disk describe TestVM.vmdk
disk: 'TestVM.vmdk' is encrypted.disk: Disk encryption keyID is 'vmware:key/fqid/<VMWARE-NULL>/HyTrust%2dCluster/############%2dd8c1%2d11e6%2d8558%2d005#########
In the above example, host key is vmware:key/fqid/<VMWARE-NULL>/HyTrust%2dCluster/############%2dd8c1%2d11e6%2d8558%2d005######### -
Login to another host in the same cluster using Putty, which is also protected by the same KMS server.
-
Run this command to check whether the host has the host key to read the affected vmdk.
crypto-util keys iskeyincache <key_ID>
Note: The Output will be either YES or NO.For example:
crypto-util keys iskeyincache 'vmware:key/fqid/<VMWARE-NULL>/HyTrust%2dCluster/############%2dd8c1%2d11e6%2d8558%2d005#########YES -
Login directly to the host where the VM is registered and unregistered the VM.
-
Login directly to the other host which has the host key and register the VM.
-
Power on the VM.
Additional Information
Impact/Risks:
Do not remove the VM from the Inventory and re-add using the vCenter. This will lock the VM permanently.
Do not remove the VM from the Inventory and re-add using the vCenter. This will lock the VM permanently.
Feedback
Yes
No
Powered by
