Error: "Host requires encryption mode enabled" when adding a host to a new vCenter
search cancel

Error: "Host requires encryption mode enabled" when adding a host to a new vCenter

book

Article ID: 428889

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • When attempting to move an ESXi host from a source vCenter utilizing a Native Key Provider to a destination vCenter, the process fails. This occurs specifically when attempting to integrate the host into the new environment's inventory.

  • The following error appears after adding the host to the cluster: Host requires encryption mode enabled. Manually recover the missing key.

  • This error confirms that the destination environment lacks the necessary cryptographic keys to manage the encrypted host, preventing the addition of the host to the inventory.

Cause

  • The destination vCenter does not recognize or possess the Key Provider identity that originally encrypted the host.

  • Encryption keys are managed at the vCenter level. Moving a host without moving its associated Key Provider results in a "missing key" state. For a successful transfer, migrating the Key Provider's identity is required to ensure the destination vCenter can manage the host's existing encryption.

Resolution

To resolve this issue, please follow the steps outlined below. This ensures the destination vCenter shares the same cryptographic identity as the source, allowing it to manage encrypted objects without requiring decryption.

  • Export the Key Provider (Source vCenter)

    1. Log in to the source vCenter Client.

    2. Navigate to Configure > Security > Key Providers.

    3. Select the active Key Provider (e.g., Native Key Provider).

    4. Click Back Up.

    5. Create a password for the backup file. Save this password, as it is required for the restore process.

    6. Download the .p12 file to the local machine.

  • Restore the Key Provider (Destination vCenter)

    1. Log in to the destination vCenter Client.

    2. Navigate to Configure > Security > Key Providers.

    3. Click Add and select Restore Key Provider.

    4. Upload the .p12 file downloaded from the source vCenter.

    5. Enter the password created during the backup step.

    6. Verify that the Key Provider appears in the list and the status is "Active" or "Exists."

  • Move the Host

    1. In the source vCenter, right-click the ESXi host and select Connection > Disconnect.

    2. Right-click the disconnected host and select Remove from Inventory.

    3. In the destination vCenter, right-click the Cluster or Datacenter and select Add Host.

    4. Enter the Fully Qualified Domain Name (FQDN) and credentials to complete the wizard.

Powered by Wolken Software