How to Quickly Check/Backup ESXi Host TPM Encryption Recovery Key Using PowerCLI

Managing encryption across multiple ESXi hosts can be a bit of a hassle. But don’t worry. I’ve got a simple PowerCLI script that’ll save you time and headaches by quickly retrieving encryption status and recovery keys from your VMware environment.

Why Do You Need This?

Ensuring your ESXi hosts are correctly encrypted is essential for security. Regular checks help prevent surprises later, especially during troubleshooting or audits.

Getting Started

First, make sure you’re connected to your vCenter:

Connect-VIServer -Server

Replace with your vCenter IP or FQDN.

The Script Breakdown

Here’s a quick rundown of the PowerCLI script to verify encryption settings across all ESXi hosts and who Recovery key for each ESXi host. (link to GitHub repository and file tpm_recovery_key_backup.ps1):

# Connect to your vCenter server (if not already connected)
# Connect-VIServer -Server <VCENTER_IP_OR_FQDN>

$esxis  = get-vmhost | Sort-Object

foreach ($esx in $esxis) {
    $key= @()
    $enc = @()
    if ($esx.ConnectionState -ne "Connected" -and $esx.ConnectionState -ne "Maintenance") {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host "🚫 SKIPPED HOST" -ForegroundColor Yellow
        Write-Host "Host                : $($esx.Name)" -ForegroundColor DarkYellow
        Write-Host "Reason              : Not powered on or disconnected." -ForegroundColor DarkYellow
        Write-Host "================================================================================" -ForegroundColor Yellow
        Write-Host ""
        continue
    }
    $esxcli = Get-EsxCli -VMHost $esx -V2
    try {
        $key = $esxcli.system.settings.encryption.recovery.list.Invoke()
        $enc =  $esxcli.system.settings.encryption.get.Invoke()

        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host "🔹 ESXi Host        : $($esx.Name)" -ForegroundColor Cyan
        Write-Host "🔐 Recovery ID      : $($key.RecoveryID)" -ForegroundColor Green
        Write-Host "🗝️  Recovery Key     : $($key.Key)" -ForegroundColor Yellow
        Write-Host "🔒 Encryption Mode  : $($enc.Mode)" -ForegroundColor Magenta
        Write-Host "================================================================================" -ForegroundColor DarkCyan
        Write-Host ""
    }
    catch {
        Write-Host ""
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host "❌ ERROR for host    : $($esx.Name)" -ForegroundColor Red
        Write-Host "⚠️  Failed to get encryption key for $($esx.Name) ."
        Write-Host "🧨 Error details     : $_"
        Write-Host "================================================================================" -ForegroundColor DarkGray
        Write-Host ""
    }
}

What the Script Does

  • Connects to each ESXi host.
  • Checks if the host is Connected or in Maintenance mode.
  • Retrieves the Encryption Recovery ID and Key.
  • Shows the current encryption mode.
  • Gracefully handles hosts that are offline or disconnected, clearly indicating skipped or problematic hosts.

Output

Connected hosts or in Maintenance with Encryption keys

Powered off or disconnected hosts – Skipped hosts

Hosts without encryption keys or with errors

Wrapping It Up

This quick script helps you stay on top of ESXi encryption keys effortlessly. Just copy, adjust if needed, and run. Happy scripting!

Easily Identify Your vCenter Version and Update Needs with PowerShell (Get-vCenterVersion)

If you are working with VMware environments, particularly with vCenter Server, it’s important to keep track of the version and build number of your vCenter instances. This script/function, Get-vCenterVersion, is designed to help you retrieve these details effortlessly. Here, we’ll break down my script, explaining each section, and provide examples of how to use it.

Overview of the Script

The Get-vCenterVersion function is a PowerShell script that retrieves the version and build number of a specified vCenter Server. It compares the build number against a predefined mapping to provide detailed information about the vCenter version, release date, and other associated details. This can be extremely useful for maintaining and upgrading your VMware infrastructure.

You can find the full script linked at the end of this article. 🙂

Sections of the Script

  1. Script Header and Metadata
<#
    .SYNOPSIS
    This function retrieves the vCenter version and build number. 
    Based on https://knowledge.broadcom.com/external/article?legacyId=2143838

    .NOTES
    File Name      : get-vcenter-version.ps1
    Author         : Stanislav Musil
    Prerequisite   : PowerShell
    Website        : https://vpxd.dc5.cz/index.php/category/blog/
    X (Twitter)    : https://www.x.com/stmusil

    .DESCRIPTION
    The script is a function that takes a single parameter, the vCenter server name. Retrieves the version and build number. 
    To use the function, you can dot-source the script and then call the function. 
    Windows:   . .\get-vcenter-version.ps1
    Mac/Linux: . ./get-vcenter-version.ps1

    .EXAMPLE
    Get-vCenterVersion -vCenterServer "vCenter.DC5.cz"
    or
    Get-vCenterVersion
#>

This section provides a summary of what the script does, including the author’s information, and usage instructions. It also includes an example of how to invoke the function. This is a standard way to document PowerShell scripts and makes it easier for others to understand and use your script.

  1. Parameter Declaration
Param (
    [Parameter(Mandatory=$false)]
    [VMware.VimAutomation.ViCore.Util10.VersionedObjectImpl]$vCenterServer
)

Here, the script defines a parameter $vCenterServer, which is not mandatory. If the user does not provide a value, the script will use the default vCenter Server from the global environment variable $global:DefaultVIServer.

  1. vCenter Version Mappings
$vCenterVersionMappings = @{
    "24026615"="vCenter Server 7.0 Update 3r","17.06.2024","7.0.3.02000","24026615","24026615"
    "23788036"="vCenter Server 7.0 Update 3q","21.05.2024","7.0.3.01900","23788036","23788036"
    ...
}

This dictionary (hashtable) contains a mapping of vCenter Server build numbers to their corresponding versions, release dates, and other details. This is the core of the script, enabling it to look up detailed information based on the build number.

  1. Retrieving and Matching vCenter Build and Version
$vCenterServerVersion = $vCenterServer.Version
$vCenterServerBuild = $vCenterServer.Build
$vCenterVersion,$vCenterReleaseDate,$vCenterVersionFull,$vCenterReleaseDate,$vCenterMobVersion = "Unknown","Unknown","Unknown","Unknown","Unknown"
$vCenterName = $vCenterServer.Name

The script retrieves the version and build number from the provided or default vCenter Server. If the build number exists in the predefined mappings, the script retrieves the corresponding details.

  1. Outputting the Information
$out = [pscustomobject] @{
    vCenter_Name = $vCenterName;
    vCenter_Build = $vCenterServerBuild;
    vCenter_ReleaseName = $vCenterServerVersion;
    vCenter_MOB = $vCenterMobVersion;
    vCenter_VAMI = $VAMI;
    vCenter_Version_Full = $vCenterVersionFull;
    Release_Date = $vCenterReleaseDate;
}
$out

The script constructs a custom PowerShell object to output the details in a structured format. This makes it easy to further process or display the information.

  1. Upgrade Check
if ($vCenterServerBuild -lt $greatestKey) {
    Write-Host "vCenter upgrade possible. `n" -ForegroundColor Red
} elseif ($vCenterServerBuild -eq $greatestKey) {
    Write-Host "Latest version/ up to date. `n" -ForegroundColor Green
} else {
    Write-Host "Update this script, looks like it's outdated. `n"  -ForegroundColor Magenta
}

Finally, the script compares the retrieved build number with the highest build number in the mapping to determine if an upgrade is available, if the system is up to date, or if the script itself needs updating.

Example Usage

Example 1: Retrieve vCenter Version with Default Server

If you are already connected to a vCenter Server and set it as the default ($global:DefaultVIServer), you can simply run:

Get-vCenterVersion

Example 2: Specify a vCenter Server

To retrieve the version for a specific vCenter Server, provide the server’s name:

Get-vCenterVersion -vCenterServer "vCenter.DC5.cz"

This will output detailed information about the vCenter Server, including its version, build number, and release date. If the vCenter Server is not on the latest version, the script will suggest that an upgrade is possible.

My homelab:

Conclusion

The Get-vCenterVersion script is a powercli function for anyone managing VMware vCenter Servers. By automating the retrieval and checking of vCenter versions, it helps ensure that your infrastructure is always up to date and secure. Whether you’re managing a single vCenter Server or multiple instances, this script can save you time and reduce the risk of version mismatches.

Feel free to customize the script to fit your environment, and remember to keep the version mapping updated as new vCenter Server versions are released!

Source code is on GitHub:

https://github.com/musil/vSphere_scripts/blob/main/vCenter/get-vcenter-version.ps1

VMUGCZ Event in Prague – 2024-05-23

A Day of Innovation and Networking

VMware User Group Czech Republic (VMUGCZ)

Yesterday’s VMUGCZ event in Prague was a fantastic success, bringing together professionals and enthusiasts for a day filled with insightful sessions, engaging discussions, and valuable networking opportunities.

Agenda:

Welcome by VMUGCZ Leaders
The event began with a warm welcome from the VMUGCZ leaders, setting the stage for an exciting day ahead. They provided an overview of the agenda, highlighting the key topics and sessions that attendees could look forward to.

Keynote: VCF, AI, and Other Things
Joe Baguley from Broadcom kicked off the keynote with a deep dive into VMware Cloud Foundation (VCF), the evolving role of AI, and other emerging technologies. His presentation was followed by a lively Q&A session led by Vlastimil HorĂĄk from VMware by Broadcom, allowing attendees to ask questions and engage directly with the experts.

Understanding NSX in VCF: Best Practices for VCF Networking
Karel Novak from VMware by Broadcom delivered a detailed session on understanding NSX within VCF. He shared best practices for optimizing VCF networking, providing practical insights and solutions for common challenges.

Coffee Break and Social Networking
The first coffee break offered a chance for attendees to mingle, discuss the morning sessions, and network with peers and industry experts. It was a great opportunity to build connections and share ideas.

The Future is Here: ExaGrid Tiered Backup Storage
Piotr Łukasiewicz from ExaGrid Systems introduced the latest innovations in tiered backup storage. His presentation highlighted the benefits of ExaGrid’s solutions, emphasizing how they can enhance data protection and recovery strategies.

Ootbi by Object First – Best Storage for Veeam
Walter Berends from ObjectFirst discussed the optimal storage solutions for Veeam, focusing on the features and advantages of Ootbi by Object First. His insights were particularly valuable for those looking to improve their data storage and management practices.

Lunch Break
A delicious lunch provided a welcome break and another opportunity for attendees to network and discuss the day’s topics in a more informal setting.

Google Cloud VMware Engine: AI-Assisted Automation for Your Workloads
Agnieszka Koziorowska from Google presented on the integration of AI-assisted automation with VMware workloads on Google Cloud. Her session showcased practical applications and the significant benefits of this advanced technology.

AI for Accident Analysis and 3D Reconstruction
Enrico Pittini and Pavel Kučera from DataVision demonstrated the use of AI for accident analysis and 3D reconstruction. Their presentation highlighted real-world use cases and the technological advancements driving these innovations.

Coffee Break and Social Networking
Another coffee break allowed attendees to relax and continue their networking conversations, exchanging thoughts on the afternoon sessions.

Before Calling in the Backups
Boris Mittelmann from Veeam discussed the importance of preparedness in backup management. He shared strategies and best practices to ensure effective and efficient backup processes.

VCF aka VirtuĂĄlnĂ­ CloudovĂĄ Fantazie
A community session led by Martin Dimitrov, Libor Junek, and Josef Zach explored the capabilities of VMware Cloud Foundation. Titled “VirtuĂĄlnĂ­ CloudovĂĄ Fantazie” this session provided info from real-life VCF deployment.

Roundtable with VMUG Leaders and Speakers
The roundtable discussion offered an interactive platform for VMUG leaders and speakers to engage with the audience. Attendees had the chance to ask questions, share insights, and discuss various topics in an open forum.

Social Networking: Grill, Beer, and Hockey
The event concluded with a relaxed social networking session featuring a grill, beer, and watching the Hockey World Championship on big screen. (Czech Republic vs. USA. [1:0] ) It was a fun and enjoyable end to a day packed with learning and networking.

Overall, the VMUGCZ event in Prague was a resounding success, offering valuable insights, practical knowledge, and plenty of opportunities for professional growth and connection. Check out some photos from the event below!

Joe Baguley (VMware by Broadcom) Keynote

Karel Novak (VMware by Broadcom)

Piotr Lukasiewicz (ExaGrid Systems)

Martin Stetka (Object First)

Walter Berends (Object First)

Google Cloud

Pavel Kučera (DataVision)

Boris Mittelman (Veeam)

Libor Junek, Josef Zach, Martin Dimitrov (community session)

Social links:

https://www.linkedin.com/feed/update/urn:li:activity:7199790189827739648

VCSA – vCenter Server Appliance 6.5 – backup

 

  • Login to admin environment of vCenter appliance
http://VCENTER-DNS-NAME:5480/

 

vcsa65-backup1

  • Choose backup

vcsa65-backup2

 

And in wizard fill all the info:

  • Protocol [HTTPS or HTTP or SCP or FTPS or FTP]
  • Location [server_IP_or_DNS/EmptyDirectory]
  • Port [if you use standard ports for protocols above, then you can skip]
  • UserName
  • Password

Continue reading “VCSA – vCenter Server Appliance 6.5 – backup”