rbaevergreen
Contributor
Contributor

Broken encryption

I added the HyTrust encryption to my vSphere lab. I later broke the VM and lost the keys. I reinstalled HyTrust, but ESXi won't re-enable encryption because it's looking for the old keyserver name despite this not being listed in the vCenter KMS list anymore. How do I remove the reference?

4 Replies
ashwin_prakash
VMware Employee
VMware Employee

You should be able to unlock the unlock and re-enable encryption using the steps mentioned below in the KB.

Resolve Missing Key Issues

Sincerely,
Ashwin Prakash
Skyline Support Moderator
0 Kudos
rbaevergreen
Contributor
Contributor

I don't think I explained this well as I didn't have my exact error messages at the time. I don't have any encrypted VMs and the original KMS server is gone, but it was once registered. I installed a new KMS server with different keys.

When I attempt to use Security Profile --> Host Encryption Mode and set it to Enabled, I get:

RuntimeFault.summary

"Key d<redacted>491c/HyTrust-LAB-01 not found";

I was trying to do this as I received a different error trying to encrypt a VM:

The operation is not supported on the object.

Cannot enable host encryption for host [vim.HostSystem:host-10,<hostname>]

0 Kudos
ashwin_prakash
VMware Employee
VMware Employee

You would have to remove the host from the existing vCenter, Unregister the VMs from host which were previously encrypted.

Add only the host to the vCenter server.

Enable Host Encryption mode.

Register the VM back to the host.

Sincerely,
Ashwin Prakash
Skyline Support Moderator
Phil_K
Enthusiast
Enthusiast

Did you ever find a resolution to your problem? I have the exact same issue and the previous KB linked isn't relevant.

We don't have any VM's out there that are still encrypted and we have deleted the old KMS connection to the hytrust server. We disabled encryption on the hosts and powered down the hytrust appliance.

Now we're trying to use another product and we cannot enable encryption with the same error:

The last operation failed for the entity with the following error message.

RuntimeFault.summary
"Key XXXXXXXXXXXX/HyTrust_DataControl not found";

I would like to think there is a way to dump the keys so vcenter no longer looks for the KMS server? Maybe I'm not understanding this correctly though. Any help is appreciated.

0 Kudos