Enabling ESXi host encryption fails with the error "CreateKey failed on key provider"
search cancel

Enabling ESXi host encryption fails with the error "CreateKey failed on key provider"

book

Article ID: 430116

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Enabling host encryption after a successful KMS configuration on vCenter fails with the following error message:

    A general runtime error occurred. Cannot generate key. CreateKey failed on key provider error code: QLC_ERR_GENERAL_ERROR. Check log for detail



  • vCenter - /var/log/vmware/vpxd/vpxd.log shows below error:
    YYYY-MM-DDTHH:MM:SSZ error vpxd[449299] [Originator@6876 sub=CryptoManagerKmipWrapper opID=SWI-#####] Failed to create key on KMS <KMS-SERVER:5696> - Server Error:Permission Denied, Explanation:DENIED
-->
YYYY-MM-DDTHH:MM:SSZ error vpxd[449299] [Originator@6876 sub=CryptoManagerKmipWrapper opID=SWI-#####] Failed to create key on KMS  <KMS-SERVER:5696> - Server Error:Permission Denied, Explanation:DENIED
-->
YYYY-MM-DDTHH:MM:SSZ warning vpxd[449299] [Originator@6876 sub=Default opID=SWI-#####] Failed to generate key on key provider KMS- Server Key, error 7:
--> Reason:
--> Failed to generate key on KMS KMS-SERVER: QLC_ERR_GENERAL_ERROR;
--> Failed to generate key on KMS KMS-SERVER: QLC_ERR_GENERAL_ERROR
--> Custom attribites: (null)

Environment

vCenter Server 8.0

Cause

This issue occurs when the vCenter Server is configured to use a username and password for KMS authentication instead of the standard certificate-based authentication. The Key Management Server (KMS) communication flow requires a TCP connection followed by an SSL handshake, which relies on certificate-based authentication by default.

Resolution

To successfully authenticate via certificates and enable encryption, establish a new Key Management Server (KMS) configuration without using any username and password under the optional password protection field. 

Follow the steps below to resolve the issue:

  1. Add New KMS Entries: Add a KMS server entry pointing to a new KMS server or to the same KMS server that you have already added. This allows the system to initiate a fresh connection using certificate-based authentication.

  2. Verify Connectivity: Confirm the new entry shows a "Connected" or "Healthy" status.

  3. Remove Old KMS Entries: Delete the KMS entries that are added with username and password. This action clears the stale configuration state and resolves any associated error messages.

Additional Information

"CreateKey failed on key provider" エラーにより ESXi ホスト暗号化が失敗する

Powered by Wolken Software