• When running the following command an error message is seen: "Error while communicating with daemon."

# esxcli system settings encryption recovery list

• Unable to enable secure boot in ESXi host

VMware vSphere 7.0.x

• This occurs when the encryption mode is set to "None."
• This error can also occur if the TPM is disabled in the BIOS.

• Run the below command to check the existing secure boot and TPM status

# esxcli system settings encryption get

Sample output:

Mode: NONE
Require Executables Only From Installed VIBs: false
Require Secure Boot: false

• Following steps can be performed to resolve this issue: 
  • Change the mode to TPM by running the following command, this initializes the daemon.

 esxcli system settings encryption set --mode=TPM

• Command to collect the recovery key:

# esxcli system settings encryption get

NOTE: If you receive the following error while executing the above commands, ensure that the TPM on the BIOS level is enabled, to apply this changes need to connect with Vendor.

esxcli system settings encryption set --mode=TPM
Unable to change the encryption mode and policy. Verify that the current host configuration can satisfy the new requirement.

• If TPM is enabled in the BIOS level then, place the host in maintenance mode and reboot it
• Once the node is fully up right click the node, disconnect it from vCenter server and reconnect it again.
• Take the host out of maintenance mode
• SSH to the node and change the encryption mode to TPM again and enable secure boot

# esxcli system settings encryption set --mode=TPM
# esxcli system settings encryption set --require-secure-boot=T

• The below command should run and you can collect the recovery key.

# esxcli system settings encryption recovery list

• Confirm the settings by running the command

# esxcli system settings encryption get
Mode: TPM
Require Executables Only From Installed VIBs: false
Require Secure Boot: true