You can use ESXCLI to rotate the secure ESXi configuration recovery key using the CLI.
- Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
- Required privilege for using ESXCLI standalone version or through PowerCLI:
- List the recovery key.
- Run the following command.
esxcli system settings encryption recovery rotate -k keyID -u uuid
In this command, keyID is the key ID in the VMkernel key cache and uuid is the Recovery ID (obtained from the
esxcli system settings encyption recovery listcommand).
The recovery key is now set to the contents of the key referenced by key ID.