Under certain circumstances, the ESXi host's encryption mode can become disabled.

An ESXi host requires that host encryption mode is enabled if it contains any encrypted virtual machines. If the host detects it is missing its host key, or if the key provider is unavailable, the host might fail to enable the encryption mode. vCenter Server generates an alarm when the host encryption mode cannot be enabled.

Procedure

  1. If the problem is the connection between the vCenter Server system and the key provider, an alarm is generated and an error message appears in the event log.
    You must restore the connection to the key provider that contains the encryption keys in question.
  2. If keys are missing, an alarm is generated and an error message appears in the event log.
    You must ensure that the keys are present in the key provider. Consult the documentation for your key management vendor for information about restoring from backup.

What to do next

If, after restoring connection to the key provider, or manually recovering keys to the key provider, the host's encryption mode remains disabled, re-enable the host encryption mode. See Re-Enable ESXi Host Encryption Mode.