You can use ESXCLI to rotate the secure ESXi configuration recovery key.
- Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
- Required privilege for using ESXCLI standalone version or through PowerCLI:
- List the recovery key.
- Run the following command.
esxcli system settings encryption recovery rotate [-k keyID] -u uuid
In this command, the optional keyID is the key ID in the VMkernel key cache and uuid is the Recovery ID (obtained from the
esxcli system settings encryption recovery listcommand). If you do not supply the optional key ID, ESXi replaces the old recovery key with a new recovery key that is randomly generated.
The recovery key is now set to the contents of the key referenced by key ID, if provided. Otherwise, ESXi provides a new key ID.