This recent quote from my buddy Timo Sugliani (definitely worth a follow on Twitter), perfectly captures the essence of an issue that I had ran into and I am sure many of you can also relate! 😀
Trying to do ONE thing and deviating to X, Y and Z. The common IT Journey
I was trying to generate an ESXi support bundle to share with Engineering and when ran the "vm-support" command, I was surprised that it failed with the following message:
Command cannot succeed because this host is in crypto safe mode and the vm-support incident key is missing.
I had never seen this message before and I had assumed it was probably due to my recent use of adding vTPM to VM that caused the host encryption mode to get enabled on this particular ESXi host. Although there were commands that I could run follow, I actually just wanted to disable it and get the support bundle over to Engineering. I figure I should be able to easily disable it, right?
Looking at the vSphere UI under ESXi Security Profile, I saw the opinion to disable was grayed out. I did what most people should do in cases like this, open a tab and Google my question. A few of the results simply pointed users follow the commands from vm-support and then I came across the official vSphere documentation titling Disable Host Encryption Mode. Long story short, the documentation did not actually provide instructions on disabling host encryption mode, but mentions the use of an API but does not provide any useful details. The documentation then links to the vSphere SDK Programming Guide with section called API Methods to Prepare an ESXi Host which I found to be even more confusing and attempting to cross reference the mentioned vSphere APIs and even calling the APIs, it did not work. I suspect things may have changed since it was published and I started to go down a 🐇🕳️
Since the documentation mentioned the use of a vSphere API, I figured I can probably figure it out and I turned to the vSphere MOB which is an extremely useful tool for navigating and visualizing the vSphere SOAP APIs. While I was not able to find the specific mentioned APIs, I did find a method called CryptoManagerHostDisable() under the Crypto Manager for an ESXi host which sounds like it could be useful?
What was even stranger was that when I tried looked up this vSphere API method in latest vSphere API Reference documentation, nothing came up? In fact, there were three other APIs under the Crypto Manager that was also not listed in the documentation:
The fact that these APIs are listed in the vSphere MOB also means that these are public vSphere APIs and can be consumable by customer but it seems the vSphere API Reference may not be updated.
OK, if you made it this far or you just want to know how to disable host encryption mode, here are the two steps:
Step 1 - Leave the ESXi host connected to vCenter and run the following PowerCLI snippet (make sure to replace the name of your ESXi host):
$vmhost = Get-VMhost esxi.primp-industries.local $vmhostCryptoManager = Get-View $vmhost.ExtensionData.ConfigManager.CryptoManager $vmhostCryptoManager.CryptoManagerHostDisable()
Step 2 - Reboot the ESXi host and once it is connected again, you should now see the host encryption mode set to disabled.
Note: I did end up deleting all the VMs on this ESXi host, I did not need them and so the steps may vary if you plan to keep your VMs. You most likely need to disable encryption on the VMs before following these steps. My environment consisted of vCenter Server 7.0 Update 3g and ESXi host in question was running ESXi 7.0 Update 3f.
I will also share this feedback with our vSphere Documentation team and hopefully it will be updated with actual steps for disabling host encryption mode.
André Pett says
Cormac posted about this a while back, and also explains the reason for the vm-support encryption. https://cormachogan.com/2017/01/09/gathering-core-dump-files-encryption-enabled/
William Lam says
Thanks for sharing Andre. Although I'm aware of the "why", it doesn't help me disable it and everyone has been pointing to follow instructions where as I wanted to completely disable it 🙂
Nate says
vSphere 8.0 doesn't seem to be cooperating with this method unfortunately.
Nate says
Scratch that. Account didn't have necessary Crypto permissions!
Jon Harris says
HI William, thanks for the article.
I am trying to run this but unsuccessfully
We keep getting the following issue at the '$vmhostCryptoManager = Get-View' line whereby it is asking for a 'VIObject[0]:'
eg...
PS C:\> C:\esxi_disable_encryption.ps1
cmdlet Get-View at command pipeline position 1
Supply values for the following parameters:
VIObject[0]:
Any advice would be amazing.
Thanks
Jon
William Lam says
Did you check that `$vmhost = Get-VMhost esxi.primp-industries.local` is providing you with an actual output? The first line retrieves host, so make sure that variable is populated. If not, then of course the use of that variable in the next line will fail
Markus says
Jon, maybe you enter four rows. 2nd and 3rd row belongs together.
crypto wallet says
Thank you for this informative post! Disabling host encryption mode on ESXi is a crucial step for many users, especially in specific configurations or troubleshooting scenarios. Your step-by-step guide is clear and easy to follow, making the process much more manageable. It's great to have resources like this available for the ESXi community, ensuring a smooth experience for all users. Looking forward to more insightful posts like this!