vCenter triggers "requires encryption mode enabled" events in non-homogenous clusters
search cancel

vCenter triggers "requires encryption mode enabled" events in non-homogenous clusters

book

Article ID: 438405

calendar_today

Updated On:

Products

VMware vSphere ESXi VMware vCenter Server

Issue/Introduction

vCenter Server generates persistent vCenter events for ESXi hosts regarding encryption mode requirements. This occurs despite the Native Key Provider (NKP) being active and healthy.

  • Cluster Configuration: The cluster contains a mix of host hardware where some hosts are equipped with TPM 2.0 chips while others are not.
  • Event Message: Host <HOSTNAME> requires encryption mode enabled. Check the status of the key provider <NKP_NAME> and manually recover the missing key /<NKP_NAME> to the key provider <NKP_NAME>. Go to docs.vmware.com for detailed remediation steps.
  • vpxd.log Error: Failed to enable encryption on host [vim.HostSystem:host-xxx,<HOSTNAME>]: key provider <NKP_NAME> is not compatible with host due to com.vmware.vim.vpxd.encryption.TpmRequired

Environment

VMware vSphere ESXi 

VMware vCenter Server

Cause

vCenter triggers these events because it attempts to enforce a "TPM Required" security policy on hosts that lack the necessary hardware. When the Native Key Provider is configured with the "Use key provider only with TPM protected ESXi hosts" option, vCenter periodically validates that every host in the cluster meets this encryption standard. For hosts without a physical TPM 2.0 chip, this validation fail triggers the TpmRequired incompatibility fault, resulting in persistent recovery events.

Resolution

 

  • Backup NKP: Navigate to vCenter > Configure > Key Providers. Select the provider and click Backup. Save the P12 file and record the password safely.

  • Remove Provider: Delete the current Native Key Provider from the vCenter configuration.

  • Restore & Relax Constraints:

    • Click Restore Native Key Provider.

    • Upload the P12 backup file and enter the password.

    • Uncheck the box: "Use key provider only with TPM protected ESXi hosts (Recommended)". This allows the provider to function on the hosts within the cluster that lack TPM chips.

  • Set Default: Set the newly restored provider as the Default key provider.

  • Validation:

    • Reset Events: Manually reset/clear the triggered events and ensure any associated host alarms are set to Green.

    • Monitor: Observe the Tasks and Events console to confirm that the "requires encryption mode enabled" events do not recur.

    • VM Verification: Perform a Power Off and Power On cycle of affected Virtual Machines during a maintenance window to validate they can power on successfully and that the host encryption state is correctly refreshed.

 

Additional Information

https://knowledge.broadcom.com/external/article/406157/option-use-key-provider-only-with-tpm-pr.html

https://knowledge.broadcom.com/external/article/423191

 

Powered by Wolken Software