Rotate the Secure ESXi Configuration Recovery Key

You can use ESXCLI to rotate the secure ESXi configuration recovery key.

This task applies only to an ESXi host that has a TPM. You can rotate the ESXi secure configuration recovery key as part of your security best practices.

Prerequisites

Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
Required privilege for using ESXCLI standalone version or through PowerCLI: Host.Config.Settings

Procedure

List the recovery key.
See List the Contents of the Secure ESXi Configuration Recovery Key.
Run the following command.
```
esxcli system settings encryption recovery rotate [-k keyID] -u uuid
```
In this command, the optional keyID is the key ID in the VMkernel key cache and uuid is the Recovery ID (obtained from the esxcli system settings encryption recovery list command). If you do not supply the optional key ID, ESXi replaces the old recovery key with a new recovery key that is randomly generated.

Results

The recovery key is now set to the contents of the key referenced by key ID, if provided. Otherwise, ESXi provides a new key ID.