As part of your regular key rotation plans, you can use PowerCLI to update a vSphere Native Key Provider.

If you have a policy for key rotation, you can update the vSphere Native Key Provider and rekey the virtual machines that you encrypted with that key provider. You can also rekey the encrypted virtual machines without updating the key provider. In this case, only the virtual machine keys are changed. You must use PowerCLI to update the vSphere Native Key Provider.

Prerequisites

  • Required privilege: Cryptographic operations.Manage key servers
  • PowerCLI 12.3.0

Procedure

  1. In a PowerCLI session, run the Connect-VIServer cmdlet to connect as an administrator user to the vCenter Server where you generated the vSphere Native Key Provider that you want to update.
    Connect-VIServer -server VC_ip_address -User admin_user -Password 'password'
  2. To update the key provider, run the Set-KeyProvider cmdlet.
    Set-KeyProvider -KeyProvider providerId -KeyId keyUuid 
    A warning appears about backing up the configuration.
  3. To back up the key provider, run the Export-KeyProvider cmdlet.
    Export-KeyProvider -FilePath path_file_name

    You can also back up the key provider using the vSphere Client. See Back Up a vSphere Native Key Provider.

Results

When a key provider is updated, its status changes to Not Backed Up. After you back up the key provider, its status changes to Active.