ESXi Configuration Files Overview before vSphere 7.0 Update 2

The configuration of an ESXi host consists of configuration files for each service that runs on the host. The configuration files typically reside in the /etc/ directory, but they can also reside in other namespaces. The configuration files contain run-time information about the state of the services. Over time, the default values in the configuration files can change, for example, when you change settings on the ESXi host. A cron job backs up the ESXi configuration files periodically, or when ESXi shuts down gracefully, or on demand, and creates an archived configuration file in the boot bank. When ESXi reboots, it reads the archived configuration file and recreates the state that ESXi was in when the backup was taken. Before vSphere 7.0 Update 2, the archived configuration file is unencrypted. As a result, it is possible for an attacker who has access to the physical ESXi storage to read and alter this file while the system is offline.

Secure ESXi Configuration Overview

During the first boot after installing or upgrading the ESXi host to vSphere 7.0 Update 2 or later, the following occurs:

• If the ESXi host has a TPM, and it is enabled in the firmware, the archived configuration file is encrypted by an encryption key stored in the TPM. From this point on, the configuration of the host is sealed by the TPM.
• If the ESXi host does not have a TPM, ESXi uses a Key Derivation Function (KDF) to generate a secure configuration encryption key for the archived configuration file. The inputs to the KDF are stored on disk in the encryption.info file.

When the ESXi host reboots after the first boot, the following occurs:

• If the ESXi host has a TPM, the host must obtain the encryption key from the TPM for that specific host. If the TPM measurements satisfy the sealing policy that was used when creating the encryption key, then the host obtains the encryption key from the TPM.
• If the ESXi host does not have a TPM, ESXi reads information from the encryption.info file to unlock the secure configuration.

Secure ESXi Configuration Requirements

• ESXi 7.0 Update 2 or later
• TPM 2.0 for configuration encryption and ability to use a sealing policy

Secure ESXi Configuration Recovery Key

A secure ESXi configuration includes a recovery key. If you must recover the ESXi secure configuration, you use a recovery key whose contents you enter as a command-line boot option. You can list the recovery key to create a recovery key backup. You can also rotate the recovery key as part of your security requirements.

Taking a backup of the recovery key is an important part of managing your secure ESXi configuration. vCenter Server generates an alarm to remind you to back up the recovery key.

Recovery Key Alarm

Taking a backup of the recovery key is an important part of managing your secure ESXi configuration. Whenever an ESXi host in TPM mode is connected or reconnected to vCenter Server, vCenter Server generates an alarm to remind you to back up the recovery key. When you reset the alarm, it is not triggered again unless conditions change.

Best Practices for Secure ESXi Configuration

Follow these best practices for the recovery key:

• When you list a recovery key, it is temporarily displayed in an untrusted environment and is in memory. Remove traces of the key.
  • Rebooting the host removes the residual key in memory.
  • For enhanced protection, you can enable encryption mode on the host. See Enable Host Encryption Mode Explicitly.
• When you perform a recovery:
  • To eliminate any traces of the recovery key in an untrusted environment, reboot the host.
  • For enhanced security, rotate the recovery key to use a new key after having recovered the key one time.