Quick Tip - How to actually disable host encryption mode on ESXi?

This recent quote from my buddy Timo Sugliani (definitely worth a follow on Twitter), perfectly captures the essence of an issue that I had ran into and I am sure many of you can also relate! 😀

Trying to do ONE thing and deviating to X, Y and Z. The common IT Journey

I was trying to generate an ESXi support bundle to share with Engineering and when ran the "vm-support" command, I was surprised that it failed with the following message:

I had never seen this message before and I had assumed it was probably due to my recent use of adding vTPM to VM that caused the host encryption mode to get enabled on this particular ESXi host. Although there were commands that I could run follow, I actually just wanted to disable it and get the support bundle over to Engineering. I figure I should be able to easily disable it, right?

Looking at the vSphere UI under ESXi Security Profile, I saw the opinion to disable was grayed out. I did what most people should do in cases like this, open a tab and Google my question. A few of the results simply pointed users follow the commands from vm-support and then I came across the official vSphere documentation titling Disable Host Encryption Mode. Long story short, the documentation did not actually provide instructions on disabling host encryption mode, but mentions the use of an API but does not provide any useful details. The documentation then links to the vSphere SDK Programming Guide with section called API Methods to Prepare an ESXi Host which I found to be even more confusing and attempting to cross reference the mentioned vSphere APIs and even calling the APIs, it did not work. I suspect things may have changed since it was published and I started to go down a 🐇🕳️

Since the documentation mentioned the use of a vSphere API, I figured I can probably figure it out and I turned to the vSphere MOB which is an extremely useful tool for navigating and visualizing the vSphere SOAP APIs. While I was not able to find the specific mentioned APIs, I did find a method called CryptoManagerHostDisable() under the Crypto Manager for an ESXi host which sounds like it could be useful?

What was even stranger was that when I tried looked up this vSphere API method in latest vSphere API Reference documentation, nothing came up? In fact, there were three other APIs under the Crypto Manager that was also not listed in the documentation:

• CryptoManagerHostEnable
• CryptoManagerHostPrepare
• ChangeKey_Task

The fact that these APIs are listed in the vSphere MOB also means that these are public vSphere APIs and can be consumable by customer but it seems the vSphere API Reference may not be updated.

OK, if you made it this far or you just want to know how to disable host encryption mode, here are the two steps:

Step 1 - Leave the ESXi host connected to vCenter and run the following PowerCLI snippet (make sure to replace the name of your ESXi host):

$vmhost = Get-VMhost esxi.primp-industries.local
$vmhostCryptoManager = Get-View $vmhost.ExtensionData.ConfigManager.CryptoManager
$vmhostCryptoManager.CryptoManagerHostDisable()

Step 2 - Reboot the ESXi host and once it is connected again, you should now see the host encryption mode set to disabled.

Note: I did end up deleting all the VMs on this ESXi host, I did not need them and so the steps may vary if you plan to keep your VMs. You most likely need to disable encryption on the VMs before following these steps. My environment consisted of vCenter Server 7.0 Update 3g and ESXi host in question was running ESXi 7.0 Update 3f.

I will also share this feedback with our vSphere Documentation team and hopefully it will be updated with actual steps for disabling host encryption mode.