Following a Purple Screen of Death (PSOD) event on an ESXi host, the core dump was found to be encrypted. This is expected behavior in environments where vSphere Virtual Machine Encryption is enabled.

VMware vSphere ESXi 7.x and later versions

When vSphere Virtual Machine Encryption is enabled, ESXi core dumps are automatically encrypted to protect sensitive customer data. This includes the core dumps bundled within vm-support packages. As a result, any diagnostic information collected from the host may also be encrypted.

If a core dump is found to be encrypted, it must be manually decrypted before analysis. Customers or administrators can perform the decryption using the following steps:

SSH into the affected ESXi host.

Check if the core dump is encrypted:

crypto-util envelope describe --offset 4096 /var/core/vmkernel-zdump.1

If the dump is confirmed to be encrypted, extract (decrypt) the core file:

crypto-util envelope extract --offset 4096 /var/core/vmkernel-zdump.1 /var/core/unenc-vmkernel-zdump.1

Once decrypted, the file located at /var/core/unenc-vmkernel-zdump.1 can be safely uploaded for support and analysis.

Further Information:

For more details on this behavior and managing encrypted core dumps, please refer to VMware's official documentation:

🔗 vSphere Virtual Machine Encryption and Core Dumps – TechDocs

Updated tech.doc link

https://techdocs.broadcom.com/us/en/vmware-cis/vsphere/vsphere/8-0/vsphere-security-8-0/use-encryption-in-your-vsphere-environment/vsphere-virtual-machine-encryption-and-core-dumps.html