Error: "A general system error occurred: Unable to decrypt the ciphertext. Failed to decrypt the key" in the vCenter UI
search cancel

Error: "A general system error occurred: Unable to decrypt the ciphertext. Failed to decrypt the key" in the vCenter UI

book

Article ID: 397633

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

In vSphere environments with VM Encryption or vTPM-enabled virtual machines, the following error may appear when attempting to power on a virtual machine after a reboot of ESXi hosts or vCenter.

A general system error occurred: Unable to decrypt the ciphertext. Failed to decrypt the key

This error typically occurs when the ESXi host loses access to the Host Encryption Key after a reboot. Even if the Key Management Server (KMS) connection is healthy, the vCenter Server may retain stale encryption metadata, leading it to believe the ESXi host still has the required key — preventing the host from re-acquiring it via vCenter.

As a result, the ESXi host cannot decrypt encrypted virtual machines, leaving them in a locked or invalid state.

Environment

VMware vSphere 7.x
VMware vSphere 8.x

Cause

vCenter via the VCDB believes the ESXi host still has their Host Encryption Key, but the host loses it post-reboot. This mismatch results in blocking the key re-acquisition from the KMS, causing VM decryption failures.

Resolution

Option 1 - For ESXi hosts that do not partake in vDS, vSAN, or NSX.

  1. Log into the vCenter UI
  2. Disconnect and remove the ESXi host from vCenter
  3. Reconnect the ESXi host

Option 2 - For ESXi hosts that cannot be removed from vCenter

  1. Implement the resolution from KB Host requires encryption mode enabled. Manually recover the missing key
Powered by Wolken Software