Enabling encryption fails in one of the ESXi host in the cluster.

search cancel

Enabling encryption fails in one of the ESXi host in the cluster.

book

Article ID: 417278

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Issue occurred after rebooting the host due to lock up issue.
Enabling encryption fails with error: Operation failed!
A general runtime error occurred. Key provider is not compatible with the host XXXX. Reason: "TPM2 device is required."

Environment

VMware ESXi 7.x

Cause

This issue occurred because Constraint under the Native Key Provider is configured with "Use key provider only with TPM protected ESXi hosts" parameter.

Resolution

Below steps can be followed to resolve the issue :
- Take the non memory powered off snapshot of all the vCenter Servers if they are in linked mode.
- Put the ESXi Host in Maintenance Mode.
- Power off the VMs using encryption.
- Delete the existing Native Key Provider - Delete a vSphere Native Key Provider
- Add a new key provider, and while doing so, deselect the option “Use key provider only with TPM protected ESXi hosts.”
- Log in to vCenter Server MOB - https://vcenter-fqdn/mob
- Follow the Broadcom KB - ESXi host Encryption Mode - Rekey an ESXi to use new Default Key Provider to update the CryptoKey with the new Key provider.
- Return to the vSphere UI and verify that Encryption is enabled on the ESXi host.

Feedback

thumb_up Yes

thumb_down No