List the Contents of the Secure ESXi Configuration Recovery Key

You can use ESXCLI to show the contents of the secure ESXi configuration recovery key.

This task applies only to an ESXi host that has a TPM. In general, you list the contents of the secure ESXi configuration recovery key to create a backup, or as part of rotating recovery keys.

Prerequisites

Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
Required privilege for using ESXCLI standalone version or through PowerCLI: Host.Config.Settings

Procedure

Run the following command on the ESXi host.

esxcli system settings encryption recovery list

Save the output in a secure, remote location as a backup, in case you must recover the secure configuration.

Results

The recovery key ID and key are displayed.

Example: List the Secure ESXi Configuration Recovery Key

[root@host1] esxcli system settings encryption recovery list

Recovery ID                             Key
--------------------------------------  ---
{2DDD5424-7F3F-406A-8DA8-D62630F6C8BC}  478269-039194-473926-430939-686855-231401-642208-184477-602511
-225586-551660-586542-338394-092578-687140-267425