The vSphere Trust Authority services are packaged and installed as part of the base ESXi image.

Starting and Stopping Services

In the vSphere Client, you can start, stop, and restart vSphere Trust Authority services that are running on an ESXi host. You can restart services upon a configuration change or if you suspect functional or performance problems. To restart the service on an ESXi Trusted Host, you must log in to the host itself to restart the service. See Start, Stop, and Restart vSphere Trust Authority Services.

Upgrading and Patching

Each time you upgrade or patch an ESXi Trusted Host, you must update the vSphere Trust Authority Cluster with the new ESXi version information. One way to do so is to upgrade or patch a test ESXi host, export the ESXi base image information, import the image file to the Trust Authority Cluster, then upgrade or patch the ESXi Trusted Hosts.

Upgrading Best Practices

Best practice for upgrading a vSphere Trust Authority infrastructure is to upgrade the Trust Authority vCenter Server and Trust Authority Hosts first. In this way, you get the most benefit from the latest vSphere Trust Authority features. However, you can perform separate, standalone upgrades of vCenter Server and ESXi hosts to fit specific business reasons.

In general, follow this order for upgrading your vSphere Trust Authority infrastructure:

  1. Upgrade the Trust Authority Cluster vCenter Server.
  2. Upgrade the Trust Authority Hosts.
  3. Upgrade the Trusted Cluster vCenter Server.
  4. Upgrade the Trusted Hosts.

To ensure a smooth process, upgrade your Trust Authority Hosts and Trusted Hosts gradually, one-by-one.

Troubleshooting Upgrade Problems

If you encounter an unsuccessful upgrade of a Trust Authority Host, follow these steps.

  1. Remove the Trust Authority Host from the Trusted Cluster.
  2. Revert to the previous version of ESXi.
  3. Re-add the Trust Authority Host to the cluster as described in the VMware knowledge base article at https://kb.vmware.com/s/article/77234.
  4. Verify that the Trust Authority Host's configuration is consistent with the other Trust Authority Hosts in the Trust Authority Cluster. See Check Trusted Cluster Health.

When you upgrade to a new version of ESXi on a Trusted Host, attestation fails until you update the Trust Authority Cluster with the new ESXi base image information. This behavior is to be expected. You can no longer encrypt virtual machines or use existing virtual machines that were encrypted before upgrade until you fix the problem. Attestation error messages appear in the vSphere Client Recent Tasks pane and the attestd.log, kmxa.log, and vpxd.log files.

To correct the problem, follow these steps.

  1. Run the Export-VMHostImageDb cmdlet to re-export the ESXi base images. See Step 5 in Collect Information About ESXi Hosts and vCenter Server to Be Trusted.
  2. Run the New-TrustAuthorityVMHostBaseImage cmdlet to reimport the new base image to the vCenter Server of the Trust Authority Cluster. See Step 8 in Import the Trusted Host Information to the Trust Authority Cluster.
  3. If you no longer must attest the older versions of ESXi (all the Trusted Hosts have been upgraded), run the Remove-TrustAuthorityVMHostBaseImage cmdlet to remove the versions. For example:
    $vTA = Get-TrustAuthorityCluster 'vTA Cluster'
$baseImages = Get-TrustAuthorityVMHostBaseImage -TrustAuthorityCluster $vTA
Remove-TrustAuthorityVMHostBaseImage -VMHostBaseImage $baseImages

Backing Up the vSphere Trust Authority Configuration

Because most vSphere Trust Authority configuration information is stored on the ESXi hosts, the vCenter Server Backup does not back up this vSphere Trust Authority information. See Backing Up the vSphere Trust Authority Configuration.