If the ESXi host cannot get the key (KEK) from vCenter Server for an encrypted virtual machine or an encrypted virtual disk, the encrypted VM becomes locked. After you make the keys available on the KMS, you can unlock a locked encrypted virtual machine.

Under certain circumstances when using a standard key provider, the ESXi host cannot get the key encryption key (KEK) for an encrypted virtual machine or an encrypted virtual disk from vCenter Server. In that case, you can still unregister or reload the virtual machine. However, you cannot perform other virtual machine operations such as powering on the virtual machine. After taking the necessary steps to make the required keys available on the KMS, you can unlock a locked encrypted virtual machine by using the vSphere Client.

If the virtual machine key is not available, a vCenter Server alarm notifies you and the state of the virtual machine displays as invalid. The virtual machine cannot power on. If the virtual machine key is available, but a key for an encrypted disk is not available, the virtual machine state does not display as invalid. However, the virtual machine cannot power on and the following error results:
The disk [/path/to/the/disk.vmdk] is encrypted and a required key was not found.
Note: The following procedure illustrates the situations that can cause a virtual machine to become locked, the corresponding alarms and event logs that appear, and what to do in each case.

Procedure

  1. If the problem is the connection between the vCenter Server system and the KMS, vCenter Server generates a virtual machine alarm. Also, an error message appears in the event log.
    Restore the connection to the KMS. When the KMS and keys become available, unlock the locked virtual machines. See Unlock Locked Virtual Machines. You can also reboot the host and re-register the virtual machine to unlock it after restoring the connection.

    Losing the connection to the KMS does not automatically lock the virtual machine. The virtual machine only enters a locked state if the following conditions are met:

    • The key is not available on the ESXi host.
    • vCenter Server cannot retrieve keys from the KMS.
    After each reboot, the ESXi host must be able to reach vCenter Server. vCenter Server requests the key with the corresponding ID from the KMS and makes it available to ESXi.
    Note: In vSphere 7.0 Update 2 and later, you can persist encryption keys across ESXi reboots. See Key Persistence Overview.

    If, after restoring connection to the key provider, the virtual machine remains locked, see Unlock Locked Virtual Machines.

  2. If the connection is restored, register the virtual machine. If an error results, or if the operation succeeds but the virtual machine is in a locked state, verify that you have the Cryptographic operations.RegisterVM privilege for the vCenter Server system.
    This privilege is not required for powering on an encrypted virtual machine if the key is available. This privilege is required for registering the virtual machine if the key has to be retrieved.
  3. If the key is no longer available on the KMS, vCenter Server generates a virtual machine alarm. Also, an error message appears in the event log.
    Ask the KMS administrator to restore the key. You might encounter an inactive key if you are powering on a virtual machine that had been removed from the inventory and that had not been registered for a long time. It also happens if you reboot the ESXi host, and the KMS is not available.
    1. Retrieve the key ID by using the Managed Object Browser (MOB) or the vSphere API.
      Retrieve the keyId from VirtualMachine.config.keyId.keyId.
    2. Ask the KMS administrator to reactivate the key that is associated with that key ID.
    3. After restoring the key, see Unlock Locked Virtual Machines.
    If the key can be restored on the KMS, vCenter Server retrieves it and pushes it to the ESXi host the next time it is needed.
  4. If the KMS is accessible and the ESXi host is powered on, but the vCenter Server system is unavailable, follow these steps to unlock virtual machines.
    1. Restore the vCenter Server system, or set up a different vCenter Server system, then establish trust with the KMS.
      You must use the same key provider name, but the KMS IP address can be different.
    2. Reregister all virtual machines that are locked.
      The new vCenter Server instance retrieves the keys from the KMS and the virtual machines are unlocked.
  5. If the keys are missing only on the ESXi host, vCenter Server generates a virtual machine alarm and the following message appears in the event log:
    Virtual machine is locked because keys are missing on host.
    The vCenter Server system can retrieve the missing keys from the key provider. No manual recovery of keys is required. See Unlock Locked Virtual Machines.