Under certain circumstances, the ESXi host cannot get the key (KEK) for an encrypted virtual machine or an encrypted virtual disk from vCenter Server. In that case, you can still unregister or reload the virtual machine. However, you cannot perform other virtual machine operations such as powering on the virtual machine or deleting the virtual machine. A vCenter Server alarm notifies you when an encrypted virtual machine is in a locked state. You can unlock a locked encrypted virtual machine by using the vSphere Client after taking the necessary steps to make the required keys available on the KMS.

If the virtual machine key is not available, the state of the virtual machine displays as invalid. The virtual machine cannot power on. If the virtual machine key is available, but a key for an encrypted disk is not available, the virtual machine state does not display as invalid. However, the virtual machine cannot power on and the following error results:
The disk [/path/to/the/disk.vmdk] is encrypted and a required key was not found.
Note: The following procedure illustrates the situations that can cause a virtual machine to become locked, the corresponding alarms and event logs that appear, and what to do in each case.

Procedure

  1. If the problem is the connection between the vCenter Server system and the KMS, a virtual machine alarm is generated and an error message appears in the event log.
    You must manually check the keys in the key provider, and restore the connection to the KMS. When the KMS and keys become available, unlock the locked virtual machines. See Unlock Locked Virtual Machines. You can also reboot the host and re-register the virtual machine to unlock it after restoring the connection.

    Losing the connection to the KMS does not automatically lock the virtual machine. The virtual machine only enters a locked state if the following conditions are met:

    • The key is not available on the ESXi host.
    • vCenter Server cannot retrieve keys from the KMS.

    After each reboot, an ESXi host must be able to reach vCenter Server. vCenter Server requests the key with the corresponding ID from the KMS and makes it available to ESXi.

    If, after restoring connection to the key provider, the virtual machine remains locked, see Unlock Locked Virtual Machines.

  2. If the connection is restored, register the virtual machine. If an error results when you attempt to register the virtual machine, verify that you have the Cryptographic operations.RegisterVM privilege for the vCenter Server system.
    This privilege is not required for powering on an encrypted virtual machine if the key is available. This privilege is required for registering the virtual machine if the key has to be retrieved.
  3. If the key is no longer available on the KMS, a virtual machine alarm is generated and an error message appears in the event log.
    Ask the KMS administrator to restore the key. You might encounter an inactive key if you are powering on a virtual machine that had been removed from the inventory and that had not been registered for a long time. It also happens if you reboot the ESXi host, and the KMS is not available.
    1. Retrieve the key ID by using the Managed Object Browser (MOB) or the vSphere API.
      Retrieve the keyId from VirtualMachine.config.keyId.keyId.
    2. Ask the KMS administrator to reactivate the key that is associated with that key ID.
    3. After restoring the key, see Unlock Locked Virtual Machines.
    If the key can be restored on the KMS, vCenter Server retrieves it and pushes it to the ESXi host the next time it is needed.
  4. If the KMS is accessible and the ESXi host is powered on, but the vCenter Server system is unavailable, follow these steps to unlock virtual machines.
    1. Restore the vCenter Server system, or set up a different vCenter Server system, then establish trust with the KMS.
      You must use the same key provider name, but the KMS IP address can be different.
    2. Reregister all virtual machines that are locked.
      The new vCenter Server instance retrieves the keys from the KMS and the virtual machines are unlocked.
  5. If the keys are missing only on the ESXi host, a virtual machine alarm is generated and the following message appears in the event log:
    Virtual machine is locked because keys are missing on host.
    The vCenter Server system can retrieve the missing keys from the key provider. No manual recovery of keys is required. See Unlock Locked Virtual Machines.