Host encryption mode is enabled automatically when you perform an encryption task, if the user has sufficient privilege to enable the encryption mode. After host encryption mode is enabled, all core dumps are encrypted to avoid the release of sensitive information to support personnel. If you no longer use virtual machine encryption with an ESXi host, you can disable encryption mode.

After encryption mode is enabled for an ESXi host, you might need to disable it. For example, you might need to disable encryption mode to generate an ESXi support bundle (using the vm-support command). Using the Disable Host Encryption mode toggle (Host > Configure > Security Profile > Edit Host Encryption Mode) does not work when key material exists on the host.

You can use the API to disable host encryption mode by invoking the CryptoManagerHostDisable API method.

The crypto modes, or states, defined for an ESXi host are:

  • pendingIncapable: The host is crypto disabled, that is, the host cannot perform vSphere Virtual Machine Encryption operations.
  • incapable: The host is not safe for receiving sensitive material.
  • prepared: The host is prepared for receiving sensitive material but does not have a host key set yet.
  • safe: The host is crypto safe (enabled), and has a host key set, that is, vSphere Virtual Machine Encryption operations are possible.

After you invoke CryptoManagerHostDisable on a host, the crypto state of the host changes as follows:

  • If the original host crypto state is incapable or prepared, the host crypto state is changed to incapable.
  • If the original host crypto state is safe, the host crypto state is changed to pendingIncapable.
  • If the host crypto state is pendingIncapable, the host crypto state is still pendingIncapable.

This task shows how to disable host encryption mode by using the vCenter Server Managed Object Browser (MOB). For more information about using the API, see the vSphere Web Services API documentation at https://developer.vmware.com/apis/968/vsphere.

Procedure

  1. Log in to the vCenter Server as an administrator.
  2. Unregister all encrypted virtual machines from the ESXi host whose encryption mode you want to disable.
  3. Access the MOB on the vCenter Server. 
    https://vcenter_server/mob
  4. Invoke the CryptoManagerHostDisable method on a host.
    1. Under content name, click content.
    2. Under rootFolder, click group-D1 (Datacenters).
    3. Under childEntity, click the appropriate datacenter.
    4. Under hostFolder, click the appropriate host.
    5. Under childEntity, click the appropriate cluster.
    6. Under host, click the appropriate host.
    7. Under configManager, click configManager.
    8. Under cryptoManager, click CryptoManagerHost-number.
    9. Click CryptoManagerHostDisable.
      The host crypto state is changed to either pendingIncapable or incapable, depending on its original crypto state.
  5. Repeat step 4 for other hosts on which you want to disable encryption mode.
  6. Reboot the hosts.

Results

Once the host encryption mode is disabled, you cannot perform encryption operations, such as adding encrypted virtual machines, unless you re-enable the host encryption mode.

Note: After you reboot an ESXi host on which you disabled encryption mode, if the host crypto state was originally pendingIncapable, the host crypto state is still pendingIncapable. To re-enable host encryption mode, re-access the vCenter Server MOB and invoke the ConfigureCryptoKey API method. When re-enabling host encryption mode, use the original host key ID if the host crypto state is pendingIncapable.