You must activate key persistence on an ESXi host. It is not activated by default.

For conceptual information about key persistence, see vSphere Key Persistence on ESXi Hosts.


Requirements to activate key persistence:

  • ESXi 7.0 Update 2 or later
  • ESXi host installed with TPM 2.0
  • Have access to the ESXCLI command set. You can run ESXCLI commands remotely, or run them in the ESXi Shell.
Note: Key persistence is not necessary when using vSphere Native Key Provider. vSphere Native Key Provider is designed out-of-the-box to run without requiring access to a key server.

For additional security, the TPM can also use a sealing policy to prevent tampering during ESXi host boot. See What Are TPM Sealing Policies.


  1. Start a session on the ESXi host by using SSH or another remote console connection.
  2. Log in as root.
  3. Verify that the ESXi host is in TPM mode.
    esxcli system settings encryption get
    If the Mode appears as NONE, you must enable the TPM in the firmware of the host, and set the mode by running the following command.
    esxcli system settings encryption set --mode=TPM
  4. Activate or deactivate key persistence.
    1. To activate key persistence:
      esxcli system security keypersistence enable
    2. To deactivate persistence:
      esxcli system security keypersistence disable --remove-all-stored-keys