Cannot enable host encryption mode using Native Key Provider "Key provider {keyProviderId} is not compatible with the host {host}. Reason TPM2 device is required."

search cancel

Cannot enable host encryption mode using Native Key Provider "Key provider {keyProviderId} is not compatible with the host {host}. Reason TPM2 device is required."

book

Article ID: 423191

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Using Native Key Provider, enabling host encryption mode failed with "Key provider {keyProviderId} is not compatible with the host {host}. Reason TPM2 device is required.".

The ESXi host doesn't have TPM2 device and you might see log like this from boot log.

VMB_TPM: 80: No TPM2 table found. No TPM 2 device present.
VMB_TPM: 236: Unable to determine TPM IO area base address.
VMB_TPM: 187: Failed to initialize TPM.

Environment

VMware vSphere ESXi

Cause

This is expected behavior where you create Native Key Provider checking [Use key provider only with TPM protected ESXi hosts (Recommended)].

Resolution

If ESXi doesn't have TPM2 device, but you need to enable host encryption mode using Native Key Provider, you need to uncheck [Use key provider only with TPM protected ESXi hosts (Recommended)] when creating Native Key Provider.

Recreating Native Key Provider disabling this option will work.

Feedback

thumb_up Yes

thumb_down No