This document details the procedure for backing up the TPM Key from a new ESXi server with VMware ESXi installed. It also covers restoring the TPM Key.
If a TPM fails, or if you clear a TPM, you must recover the secure ESXi Configuration. Until you recover the configuration, the ESXi host cannot boot.
Recovering the secure ESXi configuration refers to the following situations:
- You cleared the TPM (that is, the seeds in the TPM were reset).
- The TPM failed.
- You replaced the motherboard or the TPM device, or both.
Process – Backup
Enable SSH Access to the server (via vCenter): (From vCenter Hosts and Clusters view, select the server. Select “Services” (in the middle menu). Select “SSH”. Select “START”.)
SSH to the ESXi server
Enter the command:
esxcli system settings encryption recovery list Store the recovery key in an appropriate password management tool (Azure Keyvault/PasswordState/etc).
Disable SSH access to the server: (From vCenter Hosts and Clusters view, select the server. Select “Services” (in the middle menu). Select “SSH”. Select “STOP”.)
Process – Restore
Start the ESXi host.
When the ESXi installer window appears, press Shift+O to edit boot options.
To recover the configuration, at the command prompt, append the following boot option to any existing boot options.
encryptionRecoveryKey=recovery_keyThe secure ESXi configuration is recovered and the ESXi host boots.
To persist the change, enter the following command:
/sbin/auto-backup.sh