Unable to add vTPM on virtual machine or enable host encryption on standalone host. Error: The host does not support Native Key Provider.
search cancel

Unable to add vTPM on virtual machine or enable host encryption on standalone host. Error: The host does not support Native Key Provider.

book

Article ID: 369538

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Configuring vTPM with vSphere Native Key Provider results in the following errors:

Task Name: Reconfigure virtual machine OR Configure the host key
Status: A general runtime error occurred. Key provider <key provider name> is not compatible with host <host-fqdn> Reason: "the host does not support Native Key Provider."

Or

Task Name: Reconfigure virtual machine OR Configure the host key
Status: A general runtime error occurred. Key provider <key provider name> is not compatible with host <host-fqdn> Reason: "The host does not support Native Key Provider because it is not in a cluster."

The log entries found in the vCenter Server - /var/log/vmware/vpxd/vpxd.log:

[YYYY-MM-DDTHH:MM] error vpxd[16918] [Originator@6876 sub=CryptoManager opID=lw6e2al5-xxxx-auto-1c8u-h5:xxxxxxxx-84] [vim.HostSystem:<host-moid>,<host-fqdn>] is not compatible with key provider TestKeyProvider: native key providers not supported.
[YYYY-MM-DDTHH:MM] error vpxd[16918] [Originator@6876 sub=CryptoManager opID=lw6e2al5-xxxx-auto-1c8u-h5:xxxxxxxx-84] Trusted Key Provider is not compatible with host: com.vmware.vim.vpxd.encryption.NativeKeyProviderNotSupported
[YYYY-MM-DDTHH:MM] info vpxd[16918] [Originator@6876 sub=Default opID=lw6e2al5-xxxx-auto-1c8u-h5:xxxxxxxx-84] [VpxLRO] -- ERROR task-48721 -- <host-moid> -- vim.HostSystem.configureCryptoKey: vmodl.RuntimeFault:
--> Result:
--> (vmodl.RuntimeFault) {
-->    faultCause = (vmodl.MethodFault) null,
-->    faultMessage = (vmodl.LocalizableMessage) [
-->       (vmodl.LocalizableMessage) {
-->          key = "com.vmware.vim.vpxd.encryption.kmsNotCompatibleWithHost",
-->          arg = (vmodl.KeyAnyValue) [
-->             (vmodl.KeyAnyValue) {
-->                key = "keyProviderId",
-->                value = "TestKeyProvider"
-->             },
-->             (vmodl.KeyAnyValue) {
-->                key = "host",
-->                value = "<host-fqdn>"
-->             },
-->             (vmodl.KeyAnyValue) {
-->                key = "reason",
-->                value = "vim.vpxd.encryption.NativeKeyProviderNotSupported"
-->             }
-->          ],
-->          message = <unset>
-->       }
-->    ]
-->    msg = ""
--> }
--> Args:
-->
--> Arg keyId:
-->

Environment

vCenter Server 8.x
vCenter Server 7.x

Cause

A standalone host cannot use Native Key Provider (NKP) for vTPM or VM encryption.

Resolution

To resolve the issue add the host to a cluster,

  • Create a cluster in vCenter.
  • Ensure EVC mode and HA/DRS settings are configured as needed.
  • Add your ESXi host into that cluster.

Once the host is in a cluster with Native Key Provider (NKP) enabled, edit the VM settings and add a vTPM device.

Refer to the following document for instructions on how to add an ESXi host to a cluster.  Adding Hosts to a Cluster

Additional Information

Powered by Wolken Software