You must enable key persistence on an ESXi host. It is not enabled by default.

For conceptual information about key persistence, see Key Persistence Overview.


Requirements to enable key persistence:

  • ESXi 7.0 Update 2 or later
  • ESXi host installed with TPM 2.0
  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
Note: Key persistence is not necessary when using vSphere Native Key Provider. vSphere Native Key Provider is designed out-of-the-box to run without requiring access to a key server.

For additional security, the TPM can also use a sealing policy to prevent tampering during ESXi host boot. See TPM Sealing Policies Overview.


  1. Start a session on the ESXi host by using SSH or another remote console connection.
  2. Log in as root.
  3. Verify that the ESXi host is in TPM mode.
    esxcli system settings encryption get
    If the Mode appears as NONE, you must enable the TPM in the firmware of the host, and set the mode by running the following command.
    esxcli system settings encryption set --mode=TPM
  4. Enable or disable key persistence.
    1. To enable key persistence:
      esxcli system security keypersistence enable
    2. To disable persistence:
      esxcli system security keypersistence disable --remove-all-stored-keys