Error: "CreateKey failed on key provider" when enabling host encryption
search cancel

Error: "CreateKey failed on key provider" when enabling host encryption

book

Article ID: 375099

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Enabling host encryption after a successful KMS configuration on vCenter fails with the following error message:

    A general runtime error occurred. Cannot generate key. CreateKey failed on key provider error code: QLC_ERR_GENERAL_ERROR. Check log for details

  • vCenter - /var/log/vmware/vpxd/vpxd.log

YYYY-MM-DDTHH:MM:SSZ error vpxd[06545] [Originator@6876 sub=CryptoManagerKmipWrapper opID=lv5da6ns-1348088-auto-sw6x-h5:70295756-51] Failed to create key on KMS-Server:5696 - Server Error:Invalid Message, Explanation:Some requested operations (EXPORT) is not allowed by policy
-->
YYYY-MM-DDTHH:MM:SSZ info vpxd[18454] [Originator@6876 sub=vpxLro opID=b1333e3e-dd17-443d-95ec-7cfec90ede4e Authz-33] [VpxLRO] -- BEGIN lro-407527276 -- AuthorizationManager -- vim.AuthorizationManager.hasUserPrivilegeOnEntities -- 52cce906-9d8e-4ec2-484a-e85ac7b9e982(52754c5d-1562-5d98-b381-77d1bbda83a1)
YYYY-MM-DDTHH:MM:SSZ info vpxd[18454] [Originator@6876 sub=UserDirectorySso opID=b1333e3e-dd17-443d-95ec-7cfec90ede4e Authz-33] GetUserInfoInternal(#\#, false) res: NAMXXX\xxxxxxxxxxxxxx
YYYY-MM-DDTHH:MM:SSZ info vpxd[18454] [Originator@6876 sub=vpxLro opID=b1333e3e-dd17-443d-95ec-7cfec90ede4e Authz-33] [VpxLRO] -- FINISH lro-407527276
YYYY-MM-DDTHH:MM:SSZ warning vpxd[06545] [Originator@6876 sub=CryptoManager opID=lv5da6ns-1348088-auto-sw6x-h5:70295756-51] Failed to generate key on key provider KMS-Server, error 7:
--> Reason:
--> Failed to generate key on KMS KMS-Server: QLC_ERR_GENERAL_ERROR
--> Custom attribites: (null)
-->

Environment

vCenter Server 7.0 Update 3.x

vCenter Server 8.0

Cause

'Failed to create key' indicates that the vCenter attempted to create a key on the specified KMS server but was unsuccessful.

The KMS server returned the error stating that the operation was invalid as a result of the KMS server policy. 

Resolution

The error points to an issue between the vCenter and the KMS server.

  • Review the KMS configuration
  • Enable the EXPORT operation on the KMS server
Powered by Wolken Software