If you have a supported Trusted Platform Module (TPM) device that has been installed in your ESXi host after the initial installation and you either replace the TPM chip and/or you reset the TPM keys within the system BIOS, you may find several TPM alarms that is raised within your vCenter Server including:
- Host TPM attestation alarm
- TPM Encryption Recovery Key Backup Alarm
- The new host TPM endorsement key doesn't match the one stored in the DB
I recently had to resolve this in my lab after clearing the TPM keys within the system BIOS, this was for some testing I was doing, but I could not figure out how to get vCenter Server to clear the previous endorsement keys associated with the ESXi host.
After a bit of searching, I came across this VMware KB 81446 which outlines a solution to one the scenarios I mentioned above where you would see these TPM alarms, which is replacing the TPM chip, but I came to find out that the workflow is also applicable if you had cleared the TPM keys and new ones were generated prior to re-installing ESXi. The KB was missing a some details, which I have already shared in the feedback and I think there is a more streamline method which I have shared below.
Step 1 - You will need to remove the existing ESXi host from the vCenter Server inventory
Step 2 - SSH to the ESXi host and retrieve the encryption recovery key (96-character) using the following ESXCLI command:
esxcli system settings encryption recovery list
Step 3 - Unlike the VMware KB, which instructs the user to manually type out the 96-character key during the ESXi bootup by pressing SHIFT+O option, a more simplistic method is simply by editing the ESXi boot.cfg and append the encryptionRecoveryKey option and then removing that upon the next boot up, unless you prefer to manually type out the 96-character key, which can lead to a high probability of a typo.
Edit /bootbank/boot.cfg and append encryptionRecoveryKey=[RECOVERY_KEY] from the previous step to the kernelopt line and then save your changes.
Step 4 - Finally, reboot the ESXi host and then remove the entry you made to the /bootbank/boot.cfg and then re-add the ESXi host to the vCenter Server inventory. You may still see the TPM alarm one more time, but go ahead and clear it and on subsequent reboots, the alarm will no longer show up.
You can also confirm everything is working as expected by navigating to the vSphere Cluster and under Monitor->Security, you should now see your ESXi host has successfully been attested by vCenter Server and the previous endorsement key has now been updated