You can use ESXCLI to rotate the secure ESXi configuration recovery key using the CLI.

This task applies only to an ESXi host that has a TPM. You might want to rotate the ESXi secure configuration recovery key as part of your security best practices.


  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
  • Required privilege for using ESXCLI standalone version or through PowerCLI: Host.Config.Settings


  1. List the recovery key.
  2. Run the following command.
    esxcli system settings encryption recovery rotate -k keyID -u uuid

    In this command, keyID is the key ID in the VMkernel key cache and uuid is the Recovery ID (obtained from the esxcli system settings encyption recovery list command).


The recovery key is now set to the contents of the key referenced by key ID.