Category: VMware

Managing encryption across multiple ESXi hosts can be a bit of a hassle. But don’t worry. I’ve got a simple PowerCLI script that’ll save you time and headaches by quickly retrieving encryption status and recovery keys from your VMware environment.

Why Do You Need This?

Ensuring your ESXi hosts are correctly encrypted is essential for security. Regular checks help prevent surprises later, especially during troubleshooting or audits.

Getting Started

First, make sure you’re connected to your vCenter:

Connect-VIServer -Server

Replace with your vCenter IP or FQDN.

The Script Breakdown

Here’s a quick rundown of the PowerCLI script to verify encryption settings across all ESXi hosts and who Recovery key for each ESXi host. (link to GitHub repository and file tpm_recovery_key_backup.ps1):

# Connect to your vCenter server (if not already connected)
# Connect-VIServer -Server <VCENTER_IP_OR_FQDN>

$esxis  = get-vmhost | Sort-Object

foreach ($esx in $esxis) {
    $key= @()
    $enc = @()
    if ($esx.ConnectionState -ne "Connected" -and $esx.ConnectionState -ne "Maintenance") {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host "🚫 SKIPPED HOST" -ForegroundColor Yellow
        Write-Host "Host                : $($esx.Name)" -ForegroundColor DarkYellow
        Write-Host "Reason              : Not powered on or disconnected." -ForegroundColor DarkYellow
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host ""
        continue
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    try {
        $key = $esxcli.system.settings.encryption.recovery.list.Invoke()
        $enc =  $esxcli.system.settings.encryption.get.Invoke()

        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host "🔹 ESXi Host        : $($esx.Name)" -ForegroundColor Cyan
        Write-Host "🔐 Recovery ID      : $($key.RecoveryID)" -ForegroundColor Green
        Write-Host "🗝️  Recovery Key     : $($key.Key)" -ForegroundColor Yellow
        Write-Host "🔒 Encryption Mode  : $($enc.Mode)" -ForegroundColor Magenta
        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host ""
    }
    catch {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host "❌ ERROR for host    : $($esx.Name)" -ForegroundColor Red
        Write-Host "⚠️  Failed to get encryption key for $($esx.Name) ."
        Write-Host "🧨 Error details     : $_"
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host ""
    }
}

What the Script Does

• Connects to each ESXi host.
• Checks if the host is Connected or in Maintenance mode.
• Retrieves the Encryption Recovery ID and Key.
• Shows the current encryption mode.
• Gracefully handles hosts that are offline or disconnected, clearly indicating skipped or problematic hosts.

Output

Connected hosts or in Maintenance with Encryption keys

Powered off or disconnected hosts – Skipped hosts

Hosts without encryption keys or with errors

Wrapping It Up

This quick script helps you stay on top of ESXi encryption keys effortlessly. Just copy, adjust if needed, and run. Happy scripting!