In vCenter 7.0 Update 1 we have added functionality to vSphere HA to update the key reference count when VMs are moved to a new Host by HA.
Locked VMs can be unlocked from vCenter.
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vsphere.security.doc/GUID-CB459722-C7B6-4EA3-B8D3-EB44BCF23077.htmlOr the PowerCLI cmdlet Unlock-VM can be used to unlock the VMs.
https://developer.vmware.com/docs/powercli/latest/vmware.vimautomation.security/commands/unlock-vm/#DefaultWorkaround:
In vSphere 6.x to avoid the VMs becoming LOCKED you can re-key the VMs which are failed over by HA before removing the failed Host from the Cluster.
1) Identify the host which has crashed or become unresponsive and needs to be removed from the cluster. EG 'examplehost1.example.com'.
2) Open a console or SSH to the vCSA as root and query the database for the associated key_ids which are owned by the host.
/opt/vmware/vpostgres/current/bin/psql -U postgres -d VCDB
VCDB=# select usage_count,dns_name, host_id, vpx_host_crypto_keys.crypto_key_id from vpx_host_crypto_keys inner join vpx_host on ( vpx_host_crypto_keys.host_id = vpx_host.id) where vpx_host.dns_name = 'examplehost1.example.com';
This will output all associated keys and their usage_count.
usage_count | dns_name | host_id | crypto_key_id
-------------+---------------------------+---------+--------------------------------------------------------------
0 | examplehost1.example.com | 6521 | 0F4xxxxxxxxxxxxx952F
0 | examplehost1.example.com | 6521 | 404CxxxxxxxxxxxxF963
1 | examplehost1.example.com | 6521 | 6AxxxxxxxxxxxxxxxxD6
3) If all keys have usage_count = 0 then it is safe to skip the rest of the steps and remove the Host from the Cluster.
4) If there are keys with usage_count greater than 0 then you must identify the VMs which are using them.
Using PowerCLI:
PS C:\Users\xzy> connect-viserver <impacted vCenter name>
PS C:\Users\xzy> get-cluster <impacted cluster name> |get-vm |? {$_.ExtensionData.Config.keyID.keyid -eq '6AxxxxxxxxxxxxxxxxD6'}
Name PowerState Num CPUs MemoryGB
---- ---------- -------- --------
enc_test_vm PoweredOff 1 2.000
5) Rekey the impacted VMs
PS C:\Users\xzy> $kp = Get-keyProvider kms_cluster_id
PS C:\Users\xzy> get-vm -name enc_test_vm | set-vm -keyprovider $kp
After that, you can check to see the new keyid of the VM to confirm that it is rekeyed.
PS C:\Users\xzy> Get-SecurityInfo -Entity enc_test_vm
You can also query the usage_count again in VCDB to confirm that examplehost1.example.com has 0 usage count.
6) Remove the host from inventory/cluster