Backup TPM recovery key from ESXi host

It’s important to make sure that you have a backup of the TPM recovery key from your ESXi hosts. So, in this guide I’ll show to do that.

Introduction

Validated on

This how-to have been tested and known to work, but not limited to the following versions

  • ESXi 8

Prerequisite

  • Root access to ESXi
  • SSH software
    • macOS, you can use Terminal
    • Linux, you can use Terminal
    • Windows, I do recommend you to use PuTTY

Start

If you see a banner like this in vSphere then it’s time to take a backup, you should have a backup even without that banner showing.

Enable and connect trough SSH

First, we need to connect to the ESXi host with SSH so we need to enable it.

  • Login to your ESXi host trough the WebGUI

  • Click on Action then in the dropdown menu click Services -> Enable Secure Shell (SSH)

  • Now open SSH console, you can do that either trough ESXi WebGUI or just use any SSH prompt.

Collect Recovery ID and key

It’s time to collect the recovery ID and key, remember to save it in a safe place.

  • Write the following in the SSH prompt to verify that TPM and secure boot are enabled

    esxcli system settings encryption get
    

  • It’s time to collect the recovery key so write the following and press enter

    esxcli system settings encryption recovery list
    

    Make sure to save it in a safe place.

Disable SSH

  • Now when you have saved the recovery ID and key remember to disable SSH, you can do that by clicking first on Action then in the dropdown menu click Services -> Disable Secure Shell (SSH)

Conclusion

Now we are done and can sleep during the nights when we have saved the TPM recovery information

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.