WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Automation / Quick Tip - How to actually disable host encryption mode on ESXi?

Quick Tip - How to actually disable host encryption mode on ESXi?

07.25.2022 by William Lam // 2 Comments

This recent quote from my buddy Timo Sugliani (definitely worth a follow on Twitter), perfectly captures the essence of an issue that I had ran into and I am sure many of you can also relate! 😀

Trying to do ONE thing and deviating to X, Y and Z. The common IT Journey

I was trying to generate an ESXi support bundle to share with Engineering and when ran the "vm-support" command, I was surprised that it failed with the following message:

Command cannot succeed because this host is in crypto safe mode and the vm-support incident key is missing.


I had never seen this message before and I had assumed it was probably due to my recent use of adding vTPM to VM that caused the host encryption mode to get enabled on this particular ESXi host. Although there were commands that I could run follow, I actually just wanted to disable it and get the support bundle over to Engineering. I figure I should be able to easily disable it, right?

Looking at the vSphere UI under ESXi Security Profile, I saw the opinion to disable was grayed out. I did what most people should do in cases like this, open a tab and Google my question. A few of the results simply pointed users follow the commands from vm-support and then I came across the official vSphere documentation titling Disable Host Encryption Mode. Long story short, the documentation did not actually provide instructions on disabling host encryption mode, but mentions the use of an API but does not provide any useful details. The documentation then links to the vSphere SDK Programming Guide with section called API Methods to Prepare an ESXi Host which I found to be even more confusing and attempting to cross reference the mentioned vSphere APIs and even calling the APIs, it did not work. I suspect things may have changed since it was published and I started to go down a 🐇🕳️

Since the documentation mentioned the use of a vSphere API, I figured I can probably figure it out and I turned to the vSphere MOB which is an extremely useful tool for navigating and visualizing the vSphere SOAP APIs. While I was not able to find the specific mentioned APIs, I did find a method called CryptoManagerHostDisable() under the Crypto Manager for an ESXi host which sounds like it could be useful?


What was even stranger was that when I tried looked up this vSphere API method in latest vSphere API Reference documentation, nothing came up? In fact, there were three other APIs under the Crypto Manager that was also not listed in the documentation:

  • CryptoManagerHostEnable
  • CryptoManagerHostPrepare
  • ChangeKey_Task

The fact that these APIs are listed in the vSphere MOB also means that these are public vSphere APIs and can be consumable by customer but it seems the vSphere API Reference may not be updated.

OK, if you made it this far or you just want to know how to disable host encryption mode, here are the two steps:

Step 1 - Leave the ESXi host connected to vCenter and run the following PowerCLI snippet (make sure to replace the name of your ESXi host):

$vmhost = Get-VMhost esxi.primp-industries.local
$vmhostCryptoManager = Get-View $vmhost.ExtensionData.ConfigManager.CryptoManager
$vmhostCryptoManager.CryptoManagerHostDisable()

Step 2 - Reboot the ESXi host and once it is connected again, you should now see the host encryption mode set to disabled.

Note: I did end up deleting all the VMs on this ESXi host, I did not need them and so the steps may vary if you plan to keep your VMs. You most likely need to disable encryption on the VMs before following these steps. My environment consisted of vCenter Server 7.0 Update 3g and ESXi host in question was running ESXi 7.0 Update 3f.

I will also share this feedback with our vSphere Documentation team and hopefully it will be updated with actual steps for disabling host encryption mode.

More from my site

  • ESXi 7.0 Update 2 Upgrade Issue – Failed to load crypto64.efi
  • Updated findings for passthrough of Intel NUC Integrated Graphics (iGPU) with ESXi
  • Automating the New Integrated VIX/Guest Operations API in vSphere 5
  • How to access the Kubernetes Dashboard UI for a VMware PKS Managed K8S Cluster?
  • How to automate adding a license into vCenter Server with custom label? 

Categories // Automation, ESXi, vSphere 7.0 Tags // host encryption mode

Comments

  1. André Pett says

    07/25/2022 at 10:16 am

    Cormac posted about this a while back, and also explains the reason for the vm-support encryption. https://cormachogan.com/2017/01/09/gathering-core-dump-files-encryption-enabled/

    Reply
    • William Lam says

      07/25/2022 at 10:30 am

      Thanks for sharing Andre. Although I'm aware of the "why", it doesn't help me disable it and everyone has been pointing to follow instructions where as I wanted to completely disable it 🙂

      Reply

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • How to disable the Efficiency Cores (E-cores) on an Intel NUC? 03/24/2023
  • Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 03/22/2023
  • NFS Multi-Connections in vSphere 8.0 Update 1 03/20/2023
  • Quick Tip - How to download ESXi ISO image for all releases including patch updates? 03/15/2023
  • SSD with multiple NVMe namespaces for VMware Homelab 03/14/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...