Recover the Secure ESXi Configuration

If a TPM fails, or if you clear a TPM, you must recover the secure ESXi Configuration. Until you recover the configuration, the ESXi host cannot boot.

Recovering the secure ESXi configuration refers to the following situations:

You cleared the TPM (that is, the seeds in the TPM were reset).
The TPM failed.
You replaced the motherboard or the TPM device, or both.

To troubleshoot other secure ESXi configuration problems, see the VMware knowledge base article at https://kb.vmware.com/kb/81446.

Perform the recovery manually. Do not perform the recovery as part of an installation or upgrade script.

Prerequisites

Get your recovery key. You should have previously listed and stored the recover key. See List the Contents of the Secure ESXi Configuration Recovery Key.

Procedure

(Optional) If the TPM failed, move the disk (having the boot bank) to another host with a TPM.
Start the ESXi host.
When the ESXi installer window appears, press Shift+O to edit boot options.
To recover the configuration, at the command prompt, append the following boot option to any existing boot options.
```
encryptionRecoveryKey=recovery_key
```
The secure ESXi configuration is recovered and the ESXi host boots.
To persist the change, enter the following command:
```
/sbin/auto-backup.sh
```

What to do next

When you enter the recovery key, it is temporarily displayed in an untrusted environment and is in memory. Though not necessary, as a best practice, you can remove residual traces of the key in memory by rebooting the host. Or, you can rotate the key. See Rotate the Secure ESXi Configuration Recovery Key.