A runtime error occurred in the vSphere Replication Management Server. Exception details: 'there are VMCrypt keys not accessible at the destination site'.
Article ID: 388826
Updated On:
Products
Issue/Introduction
Configuring Replication for an encrypted VM Fails with error message saying that the encryption keys do not exist in the destination vCenter.
A runtime error occurred in the vSphere Replication Management Server. Exception details: 'there are VMCrypt keys not accessible at the destination site'.
Environment
VMware Site Recovery Manager 8.x
Cause
Primary and Secondary Site KMS Cluster names are different.
When configuring replication for an encrypted VM, the VM should be able retrieve the same Key Encryption Key (KEK) from the secondary KMS Cluster. When the KMS Cluster name is different on both sites, this will prevent the secondary site from accessing the KEK used at the primary site, which causes the configuration to fail.
Resolution
Configure the same KMS cluster on both the primary and secondary sites.
Steps to encrypt VMs using Standard Key Provider:
- Navigate to Primary VC → Configure → Security → Key Providers
- Select → Add → Add Standard Key Provider
- Give name, id, ip and port number(5696) for the key provider, unselect "Use key provider only with TPM protected ESXi hosts" and add key provider.
- Make sure the created key provider is set as default.
- On Secondary VC, Give the same name, id, ip and port number(5696) for the key provider.
Additional Information
Pre-requisite:
Configure KMS cluster on both sites with same name, port and address.
Feedback
