You must enable key persistence on an ESXi host. It is not enabled by default.

For conceptual information about key persistence, see Key Persistence Overview.


Requirements to enable key persistence:

  • ESXi 7.0 Update 2 or later
  • ESXi host installed with TPM 2.0
  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
Note: vSphere Native Key Provider does not require a TPM to enable key persistence. However, without a TPM the keys are not persisted securely, and could potentially be compromised.

For additional security, the TPM can also use a sealing policy to prevent tampering during ESXi host boot. See TPM Sealing Policies Overview.


  1. Use SSH or another remote console connection to start a session on the ESXi host.
  2. Log in as root.
  3. Enable or disable key persistence.
    1. To enable key persistence:
      esxcli system security keypersistence enable
    2. To disable persistence:
      esxcli system security keypersistence disable --remove-all-stored-keys