You can use ESXCLI to rotate the secure ESXi configuration recovery key.

This task applies only to an ESXi host that has a TPM. You can rotate the ESXi secure configuration recovery key as part of your security best practices.


  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
  • Required privilege for using ESXCLI standalone version or through PowerCLI: Host.Config.Settings


  1. List the recovery key.
  2. Run the following command.
    esxcli system settings encryption recovery rotate [-k keyID] -u uuid

    In this command, the optional keyID is the key ID in the VMkernel key cache and uuid is the Recovery ID (obtained from the esxcli system settings encryption recovery list command). If you do not supply the optional key ID, ESXi replaces the old recovery key with a new recovery key that is randomly generated.


The recovery key is now set to the contents of the key referenced by key ID, if provided. Otherwise, ESXi provides a new key ID.