You can use ESXCLI to show the contents of the secure ESXi configuration recovery key.

This task applies only to an ESXi host that has a TPM. In general, you list the contents of the secure ESXi configuration recovery key to create a backup, or as part of rotating recovery keys.


  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
  • Required privilege for using ESXCLI standalone version or through PowerCLI: Host.Config.Settings


  1. Run the following command on the ESXi host.
    esxcli system settings encryption recovery list
  2. Save the output in a secure, remote location as a backup, in case you must recover the secure configuration.


The recovery key ID and key are displayed.

Example: List the Secure ESXi Configuration Recovery Key

[root@host1] esxcli system settings encyption recovery list

Recovery ID                             Key
--------------------------------------  ---
{2DDD5424-7F3F-406A-8DA8-D62630F6C8BC}  478269-039194-473926-430939-686855-231401-642208-184477-602511