Hello,
We've been testing KMS servers in our lab. The last solution that was tested before I came on board was HyTrust. We have since moved to another product. The problem I'm having is that I cannot enable encryption to utilize the new KMS server because there is some sort of relic encryption key that is persisting on the esxi host.
Here is my error:
The last operation failed for the entity with the following error message.
RuntimeFault.summary
"Key XXXXXXXXXXXX/HyTrust_DataControl not found";
So far I've performed the following:
Put esxi host in maintenance mode
Remove from Inventory
Reboot
Add back to inventory
exit maintenance mode
Still cannot enable encryption. For some reason the KEKs? are persisting on the host. Not sure why but so far I have been unable to re-enable encryption after deleting the old HyTrust KMS and configuring a new solution.
So, the only thing I can assume is that there still might be an encrypted VM out there? If so, is there a programmatic or gui method for determining that?
Below is the only community post I could find related to this issue:
Broken encryption