Host is looking for Wrong Key Encryption Keys when trying to Enable Encryption on the host


We've been testing KMS servers in our lab. The last solution that was tested before I came on board was HyTrust. We have since moved to another product. The problem I'm having is that I cannot enable encryption to utilize the new KMS server because there is some sort of relic encryption key that is persisting on the esxi host.

Here is my error:

The last operation failed for the entity with the following error message.

"Key XXXXXXXXXXXX/HyTrust_DataControl not found";

So far I've performed the following:

Put esxi host in maintenance mode

Remove from Inventory


Add back to inventory

exit maintenance mode

Still cannot enable encryption. For some reason the KEKs? are persisting on the host. Not sure why but so far I have been unable to re-enable encryption after deleting the old HyTrust KMS and configuring a new solution.

So, the only thing I can assume is that there still might be an encrypted VM out there? If so, is there a programmatic or gui method for determining that?

Below is the only community post I could find related to this issue:

Broken encryption

Tags (2)
0 Kudos
1 Reply

So you can view which VM's are encrypted by adding the field in the VM tab in vcenter. That part was easy.

I'm still waiting for a reply on how to perform an operation to dump the keys. Is there a gui button to do this? Referring to the API SDK guide does nothing for me. There doesn't seem to be anything on rekeying or dumping encryption keys.

If it's that easy to generate an error by simply deleting your old KMIP connection and adding a new verified one, I don't see how this would be a workable security function.

0 Kudos