Starting in vSphere 7.0 Update 2, the ESXi configuration is protected by encryption. When an ESXi host is optionally protected by a TPM, the ESXi configuration encryption key is sealed by the TPM.
Many ESXi services store secrets in their configuration files. These configurations persist in an ESXi host's boot bank as an archived file. Beginning in vSphere 7.0 Update 2, this archived file is encrypted. As a result, attackers cannot read or alter this file directly, even if they have physical access to the ESXi host's storage.
In addition to preventing an attacker from accessing secrets, a secure ESXi configuration when used with a TPM can save virtual machine encryption keys across reboots. As a result, encrypted workloads can continue to function when a key server is unavailable or unreachable. See Key Persistence Overview.