Host Requires Encryption Mode Enabled Alarm on a host cluster where encryption key provider is powered off
search cancel

Host Requires Encryption Mode Enabled Alarm on a host cluster where encryption key provider is powered off

book

Article ID: 407223

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • There is a desire to decommission a key provider and disable encryption on a vSphere host cluster because Encryption is not currently required.
  • The key provider was set up in the past, but never used to encrypt data.
  • There is no requirement for encryption on VMs or vSAN, and the key provider is either out dated which leads to security risks, or the software key is expired.
  • Encryption is not needed at this time, and the key provider is not available on the network because it is administratively disabled, and rebooting a host results in Host Requires Encryption Mode Enabled Alarm being triggered if the key providers are powered off.
  • The hosts show that encryption is enabled under Configure>System>Security Profile>Host Encryption Mode Encryption Mode: Enabled, but is greyed out if trying to EDIT and change from Enabled to Disabled.

Environment

ESXi 8.x

Cause

This is the design of the feature.  If the key provider is not available on the network and unreachable the alarm will display when the host tries to reach the key provider.

Resolution

Please setup a test environment using the same key provider before making any changes in production.  Make sure the key provider is available to be reconfigured if necessary before continuing, because any data encrypted with the key provider will become permanently inaccessible if the key provider is decommissioned prior to verification it is no longer needed.  This may not be a comprehensive list of all the places a key provider can be used in an environment.  This only covers the scope of the host cluster in vSphere.  There may be other applications using your key provider - please make sure to check on their requirements for decommissioning separately.

  1. Make sure the vSAN data encryption is not in use under the Cluster>Configure>vSAN menu.  There is data at rest and data in flight encryption.
  2. Make sure there are no VMs that are currently Encrypted in the cluster by going to the Cluster>VMs Tab.
    1. Manage Columns.
    2. Click the checkbox for Encryption and TPM to add the columns.
    3. Sort by Encryption and TPM to make sure there are no VMs that are currently using Encryption or vTPM devices.

The Key Provider can now be deleted from the Key Providers list in vCenter>Configure>Security>Key Providers configuration menu.  Make sure you understand the warning about VMs not being able to be powered on before proceeding.

Ensure that there are no issues with any of the existing VMs and that all necessary data is accessible before decommissioning the key provider.

Additional Information

Note: keep in mind that this is not official guidance for your environment, and any design decisions should be vetted through internal teams based on administrative and technical requirements; consult professional services if required.

If you are considering using another key provider the key provider can be updated on the cluster to configure the cluster where to obtain new keys from in the future - however, anything currently encrypted would not work with the new key provider for existing data.

Please see https://www.youtube.com/watch?app=desktop&v=AyLTmfwiA8g for a good overview of the Native Key Provider.

Powered by Wolken Software