VMware GPU Homelab: Part 7 – Step-by-Step Guide…

VMware GPU Homelab: Part 7 – Step-by-Step Guide…

In this post, we’ll walk through the step-by-step process of deploying of the vSAN Witness Appliance for my Homelab’s 2-node vSAN cluster. Before we dive into the deployment, let’s quickly recap how a 2-node vSAN cluster works. Unlike larger vSAN clusters that require a minimum of three vSAN […]


Broadcom Social Media Advocacy

128GB memory mini PCs is now a reality with…

128GB memory mini PCs is now a reality with…

The long awaited 64GB DDR5 SODIMM memory modules from Crucial was just released this week! 😁 I was so excited about the news, I quickly splurged on a pair of these brand new modules, which are currently priced at $364 USD on Amazon! πŸ˜…πŸ’° As of publishing this blog post, there is currently no […]


Broadcom Social Media Advocacy

How to Quickly Check/Backup ESXi Host TPM Encryption Recovery Key Using PowerCLI

Managing encryption across multiple ESXi hosts can be a bit of a hassle. But don’t worry. I’ve got a simple PowerCLI script that’ll save you time and headaches by quickly retrieving encryption status and recovery keys from your VMware environment.

Why Do You Need This?

Ensuring your ESXi hosts are correctly encrypted is essential for security. Regular checks help prevent surprises later, especially during troubleshooting or audits.

Getting Started

First, make sure you’re connected to your vCenter:

Connect-VIServer -Server

Replace with your vCenter IP or FQDN.

The Script Breakdown

Here’s a quick rundown of the PowerCLI script to verify encryption settings across all ESXi hosts and who Recovery key for each ESXi host. (link to GitHub repository and file tpm_recovery_key_backup.ps1):

# Connect to your vCenter server (if not already connected)
# Connect-VIServer -Server <VCENTER_IP_OR_FQDN>

$esxis  = get-vmhost | Sort-Object

foreach ($esx in $esxis) {
    $key= @()
    $enc = @()
    if ($esx.ConnectionState -ne "Connected" -and $esx.ConnectionState -ne "Maintenance") {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host "🚫 SKIPPED HOST" -ForegroundColor Yellow
        Write-Host "Host                : $($esx.Name)" -ForegroundColor DarkYellow
        Write-Host "Reason              : Not powered on or disconnected." -ForegroundColor DarkYellow
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host ""
        continue
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    try {
        $key = $esxcli.system.settings.encryption.recovery.list.Invoke()
        $enc =  $esxcli.system.settings.encryption.get.Invoke()

        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host "πŸ”Ή ESXi Host        : $($esx.Name)" -ForegroundColor Cyan
        Write-Host "πŸ” Recovery ID      : $($key.RecoveryID)" -ForegroundColor Green
        Write-Host "πŸ—οΈ  Recovery Key     : $($key.Key)" -ForegroundColor Yellow
        Write-Host "πŸ”’ Encryption Mode  : $($enc.Mode)" -ForegroundColor Magenta
        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host ""
    }
    catch {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host "❌ ERROR for host    : $($esx.Name)" -ForegroundColor Red
        Write-Host "⚠️  Failed to get encryption key for $($esx.Name) ."
        Write-Host "🧨 Error details     : $_"
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host ""
    }
}

What the Script Does

  • Connects to each ESXi host.
  • Checks if the host is Connected or in Maintenance mode.
  • Retrieves the Encryption Recovery ID and Key.
  • Shows the current encryption mode.
  • Gracefully handles hosts that are offline or disconnected, clearly indicating skipped or problematic hosts.

Output

Connected hosts or in Maintenance with Encryption keys

Powered off or disconnected hosts – Skipped hosts

Hosts without encryption keys or with errors

Wrapping It Up

This quick script helps you stay on top of ESXi encryption keys effortlessly. Just copy, adjust if needed, and run. Happy scripting!

Version 1.0 AVS Sizer! – DinoCloud

Version 1.0 AVS Sizer! – DinoCloud

I started thinking about how I could use this blog to make a sizer based on my previous AVS storage sizing post. Of course, as a reminder this is not an official sizer, but I understand that many in the partner and customer community don’t have any access to this basic need. So here we are! […]


Broadcom Social Media Advocacy

Changing DNS server in NSX _ brisk-it.net

Changing DNS server in NSX _ brisk-it.net

We recently spun up a new datacenter and used another site to bootstrap our DNS configuration. Now that we’ve got local DNS services, it’s time to change all our configuration! In this article I’ll show you how you can change the DNS configuration in your NSX environment. The process is the […]


Broadcom Social Media Advocacy