If host encryption mode is enabled for the ESXi host, any core dumps in the vm-support package are encrypted. You can collect the package from the vSphere Client, and you can specify a password if you expect to decrypt the core dump later.

The vm-support package includes log files, core dump files, and more.


Inform your support representative that host encryption mode is enabled for the ESXi host. Your support representative might ask you to decrypt core dumps and extract relevant information.

Note: Core dumps can contain sensitive information. Follow your organization's security and privacy policy to protect sensitive information such as host keys.


  1. Log in to the vCenter Server system with the vSphere Client.
  2. Click Hosts & Clusters, and right-click the ESXi host.
  3. Select Export System Logs.
  4. In the dialog box, select Password for encrypted core dumps, and specify and confirm a password.
  5. Leave the defaults for other options or make changes if requested by VMware Technical Support, and click Export Logs.
    If you have not configured your browser to ask where to save files before downloading, the download starts. If you have configured your browser to ask where to save files, specify a location for the file.
  6. If your support representative asked you to decrypt the core dump in the vm-support package, log in to any ESXi host and follow these steps.
    1. Log in to the ESXi host and connect to the directory where the vm-support package is located.
      The filename follows the pattern esx.date_and_time.tgz.
    2. Make sure that the directory has enough space for the package, the uncompressed package, and the recompressed package, or move the package.
    3. Extract the package to the local directory.
      vm-support -x *.tgz .
      The resulting file hierarchy might contain core dump files for the ESXi host, usually in /var/core, and might contain multiple core dump files for virtual machines.
    4. Decrypt each encrypted core dump file separately.
      crypto-util envelope extract --offset 4096 --keyfile vm-support-incident-key-file 
      --password encryptedZdump decryptedZdump
      vm-support-incident-key-file is the incident key file that you find at the top level in the directory.

      encryptedZdump is the name of the encrypted core dump file.

      decryptedZdump is the name for the file that the command generates. Make the name similar to the encryptedZdump name.

    5. Provide the password that you specified when you created the vm-support package.
    6. Remove the encrypted core dumps, and compress the package again.
      vm-support --reconstruct 
  7. Remove any files that contain confidential information.