If a TPM fails, or if you clear a TPM, you must recover the secure ESXi Configuration. Until you recover the configuration, the ESXi host cannot boot.

Recovering the secure ESXi configuration refers to the following situations:
  • You cleared the TPM (that is, the seeds in the TPM were reset).
  • The TPM failed.

To troubleshoot other secure ESXi configuration problems, see the VMware knowledge base article at https://kb.vmware.com/kb/81446.

Perform the recovery manually. Do not perform the recovery as part of an installation or upgrade script.

Prerequisites

Get your recovery key. You should have previously listed and stored the recover key. See List the Contents of the Secure ESXi Configuration Recovery Key.

Procedure

  1. (Optional) If the TPM failed, move the disk (having the boot bank) to another host with a TPM.
  2. Start the ESXi host.
  3. When the ESXi installer window appears, press Shift+O to edit boot options.
  4. At the command prompt, enter the boot option to recover the configuration.
    encryptionRecoveryKey=recovery_key

Results

The secure ESXi configuration is recovered and the ESXi host boots.

What to do next

When you enter the recovery key, it is temporarily displayed in an untrusted environment and is in memory. You can remove residual traces of the key in memory by rebooting the host. Or, you can rotate the key. See Rotate the Secure ESXi Configuration Recovery Key.