david_sjostrand
Enthusiast
Enthusiast

Disable Host Encryption mode in a cluster

I made the mistake of enabling host encryption mode on a host in a cluster to try out windows 11. This triggered an alarm on every other host in the cluster. For some reason host encryption mode was also enabled automatically on one additional host in the cluster.

When I upgraded a third host in the cluster this resulted in host encryption mode being automatically enabled on this host as well. As I don't really need host encryption mode (I have removed the windows 11 vm), I thought I'd disable it. This proved to be quite tricky as it requires the host to be removed from the vcenter server, restarted and added back. As I am using a distributed virtual switch I first had to move an uplink to a standard switch, migrate all vmkernel interfaces to it and remove the host from the distributed switch.

I did all this on one of the three hosts with host encryption mode enabled. It worked. I added it back to the cluster and host encryption mode was promptly enabled automatically again. As it happens, this has to be done on all hosts with host encryption mode enabled at once. So I did. Luckily it was only enabled on three of the 16 hosts in the cluster. After I was done, host encryption mode was disabled on all of the hosts in the cluster.

Then I upgraded the rest of the hosts, resulting in host encryption mode being enabled on every single one of them.

There should be a warning about this when enabling host encryption mode. This seems to be a one way street with no documented way of getting out.

/David Sjöstrand
Labels (2)
0 Kudos
2 Replies
ksujay
VMware Employee
VMware Employee

Refer to the below steps to disable host encryption.

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-C3000B91-2594-4CC...

Step-3 states: If the host is in a cluster, unregister the other encryption-enabled hosts in that cluster.

---------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMTN voluntarily (i.e., not in any official capacity)

0 Kudos
david_sjostrand
Enthusiast
Enthusiast

This is what I did. After I removed all (3) hosts with host encryption mode enabled from the cluster and the vcenter server, rebooted them and added them back, all the hosts in the cluster had host encryption mode disabled. Then I upgraded the hosts (from 7u2 to 7u3), and they all came back up with host encryption mode enabled. Now I can't disable it again as I can't remove all hosts from the cluster at once.

I don't have a specific reason to have host encryption mode on, but I also don't have a specific reason not to, so I won't bother with trying to disable it now. All I am saying is that I would have liked to know beforehand that it's a one way street, and not as the very article cited implies, that it is reversible. With that information I would have never enabled it to begin with.

/David Sjöstrand
0 Kudos