Host encryption mode is enabled automatically when you perform an encryption task, if the user has sufficient privilege to enable the encryption mode. After host encryption mode is enabled, all core dumps are encrypted to avoid the release of sensitive information to support personnel. If you no longer use virtual machine encryption with an ESXi host, you can disable encryption mode, either manually or by using the public API.

This task describes how to manually disable host encryption mode. As of vSphere 7.0, you can disable encryption on a host, after next reboot, by setting pendingIncapable in HostCryptoState. See


  1. Unregister all encrypted virtual machines from the host whose encryption mode you want to disable.
  2. Unregister the host from vCenter Server.
  3. (Optional) If the host is in a cluster, unregister the other encryption-enabled hosts in that cluster.
  4. Reboot all hosts that were unregistered.
  5. Register the hosts with vCenter Server again.


If you do not add encrypted virtual machines to the host, host encryption mode is disabled.