You must enable key persistence on an ESXi host. It is not enabled by default.

For conceptual information about key persistence, see Key Persistence Overview.

Prerequisites

Requirements to enable key persistence:

  • ESXi 7.0 Update 2 or later
  • ESXi host installed with TPM 2.0
  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.

For additional security, the TPM can also use a sealing policy to prevent tampering during ESXi host boot. See TPM Sealing Policies Overview.

Procedure

  1. Use SSH or another remote console connection to start a session on the ESXi host.
  2. Log in as root.
  3. Enable or disable key persistence.
    1. To enable key persistence:
      esxcli system security keypersistence enable
    2. To disable persistence:
      esxcli system security keypersistence disable --remove-all-stored-keys