You must enable key persistence on an ESXi host. It is not enabled by default.
For conceptual information about key persistence, see Key Persistence Overview.
Prerequisites
Requirements to enable key persistence:
- ESXi 7.0 Update 2 or later
- ESXi host installed with TPM 2.0
- Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
Note: Key persistence is not necessary when using vSphere Native Key Provider. vSphere Native Key Provider is designed out-of-the-box to run without requiring access to a key server.
For additional security, the TPM can also use a sealing policy to prevent tampering during ESXi host boot. See TPM Sealing Policies Overview.