Category: VMware

VMware technologies

How to Quickly Check/Backup ESXi Host TPM Encryption Recovery Key Using PowerCLI

Managing encryption across multiple ESXi hosts can be a bit of a hassle. But don’t worry. I’ve got a simple PowerCLI script that’ll save you time and headaches by quickly retrieving encryption status and recovery keys from your VMware environment.

Why Do You Need This?

Ensuring your ESXi hosts are correctly encrypted is essential for security. Regular checks help prevent surprises later, especially during troubleshooting or audits.

Getting Started

First, make sure you’re connected to your vCenter:

Connect-VIServer -Server

Replace with your vCenter IP or FQDN.

The Script Breakdown

Here’s a quick rundown of the PowerCLI script to verify encryption settings across all ESXi hosts and who Recovery key for each ESXi host. (link to GitHub repository and file tpm_recovery_key_backup.ps1):

# Connect to your vCenter server (if not already connected)
# Connect-VIServer -Server <VCENTER_IP_OR_FQDN>

$esxis  = get-vmhost | Sort-Object

foreach ($esx in $esxis) {
    $key= @()
    $enc = @()
    if ($esx.ConnectionState -ne "Connected" -and $esx.ConnectionState -ne "Maintenance") {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host "๐Ÿšซ SKIPPED HOST" -ForegroundColor Yellow
        Write-Host "Host                : $($esx.Name)" -ForegroundColor DarkYellow
        Write-Host "Reason              : Not powered on or disconnected." -ForegroundColor DarkYellow
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host ""
        continue
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    try {
        $key = $esxcli.system.settings.encryption.recovery.list.Invoke()
        $enc =  $esxcli.system.settings.encryption.get.Invoke()

        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host "๐Ÿ”น ESXi Host        : $($esx.Name)" -ForegroundColor Cyan
        Write-Host "๐Ÿ” Recovery ID      : $($key.RecoveryID)" -ForegroundColor Green
        Write-Host "๐Ÿ—๏ธ  Recovery Key     : $($key.Key)" -ForegroundColor Yellow
        Write-Host "๐Ÿ”’ Encryption Mode  : $($enc.Mode)" -ForegroundColor Magenta
        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host ""
    }
    catch {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host "โŒ ERROR for host    : $($esx.Name)" -ForegroundColor Red
        Write-Host "โš ๏ธ  Failed to get encryption key for $($esx.Name) ."
        Write-Host "๐Ÿงจ Error details     : $_"
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host ""
    }
}

What the Script Does

  • Connects to each ESXi host.
  • Checks if the host is Connected or in Maintenance mode.
  • Retrieves the Encryption Recovery ID and Key.
  • Shows the current encryption mode.
  • Gracefully handles hosts that are offline or disconnected, clearly indicating skipped or problematic hosts.

Output

Connected hosts or in Maintenance with Encryption keys

Powered off or disconnected hosts – Skipped hosts

Hosts without encryption keys or with errors

Wrapping It Up

This quick script helps you stay on top of ESXi encryption keys effortlessly. Just copy, adjust if needed, and run. Happy scripting!

Version 1.0 AVS Sizer! โ€“ DinoCloud

Version 1.0 AVS Sizer! โ€“ DinoCloud

I started thinking about how I could use this blog to make a sizer based on my previous AVS storage sizing post. Of course, as a reminder this is not an official sizer, but I understand that many in the partner and customer community donโ€™t have any access to this basic need. So here we are! […]

Broadcom Social Media Advocacy

Changing DNS server in NSX _ brisk-it.net

Changing DNS server in NSX _ brisk-it.net

We recently spun up a new datacenter and used another site to bootstrap our DNS configuration. Now that weโ€™ve got local DNS services, itโ€™s time to change all our configuration! In this article Iโ€™ll show you how you can change the DNS configuration in your NSX environment. The process is the […]

Broadcom Social Media Advocacy

Comprehensive Guide to the deploy.sh Script in…

Comprehensive Guide to the deploy.sh Script in…

Introduction to the deploy.sh Script | The deploy.sh script is a fundamental tool in the VMware Aria Automation ecosystem (formerly vRealize Automation), responsible for deploying, configuring, and managing all components of this advanced environment. Located in the /opt/scripts/ […]

Broadcom Social Media Advocacy

PowerCLI on Mac, Linux, and Windows _ vcrocs.info

PowerCLI on Mac, Linux, and Windows _ vcrocs.info

Ready to dive into automation? Excellent choice! Planning to automate on a Mac, Linux, or Windows? Fantastic! I love that VMware PowerCLI is built as a PowerShell module, making automation seamless across Mac, Linux, and Windows. Since VMware is my primary focus for automation, PowerShell […]

Broadcom Social Media Advocacy