You can use the vSphere Client to delete a vSphere Native Key Provider from vCenter Server.

After you delete a vSphere Native Key Provider, virtual machines that have vTPMs or that are encrypted continue to run. If you reboot the ESXi host, its encrypted virtual machines enter a locked state. After you unregister these virtual machines, they enter a locked state when you try to re-register them. The only way to unlock the virtual machines is to restore the previous vSphere Native Key Provider.


Required privilege: Cryptographic operations.Manage key servers

Before you delete a vSphere Native Key Provider, rekey any encrypted virtual machines and datastores that were encrypted using that key provider to another key provider. See Rekey an Encrypted Virtual Machine Using the vSphere Client.

In addition, maintain a backup of the vSphere Native Key Provider in case you must rekey an encrypted virtual machine after deleting the key provider.


  1. Log in to the vCenter Server system with the vSphere Client.
  2. Browse the inventory list and select the vCenter Server instance.
  3. Click Configure, and under Security click Key Providers.
  4. Select the key provider you want to delete.
  5. Click Delete.
  6. Read the warning message and slide the slider all the way to the right.
  7. Click Delete.


The vSphere Native Key Provider is removed from the vCenter Server.