vm-support command prompts for an incident key, even though Host Encryption Mode is displayed as "Disabled" in the vSphere Client
Article ID: 426986
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
- The vm-support command output shows the following warning:
YYYY-mm-dd HH:MM:SS,xxx WARNING main.py:583 Command cannot succeed because this host is in crypto safe mode and the vm-support incident key is missing.
To collect useful coredumps, perform these tasks:
1. Generate a vm-support incident key by running:
crypto-util keys vm-support --password prolog
2. Run vm-support:
vm-support [options]
3. Perform cleanup:
crypto-util keys vm-support epilog
- In the vSphere Client, the Host Encryption Mode is displayed as "Disabled"
- Running the following command on the ESXi host shows the cryptoState as pendingIncapable:
vim-cmd hostsvc/runtimeinfo | grep -i cryptostate
output)
cryptoState = "pendingIncapable", - Running th following command on the ESXi host shows HostKey still exists.
crypto-util keys getkidbyname HostKey
output)
vmware:key/fqid/<VMWARE-NULL>/a/ASEAAgEAl%2f... - Host Encryption Mode was previously enabled on the affected ESXi host and was subsequently disabled via the CryptoManager API.
Cause
Disabling Host Encryption Mode requires a reboot of the ESXi host.
For instructions on how to deactivate Host Encryption Mode, please refer to the following documentation:
Resolution
Reboot the ESXi host and verify that the cryptoState transitions from pendingIncapable to incapable.
Workaround:
Even in this state, a vm-support bundle can still be collected through the vSphere Client or ESXi Host Client.
Alternatively, you can follow the on-screen instructions to generate an incident key and collect the logs via CLI:
1. Generate a vm-support incident key by running:
crypto-util keys vm-support --password prolog
2. Run vm-support:
vm-support [options]
3. Perform cleanup:
crypto-util keys vm-support epilog
Feedback
Yes
No
Powered by
