If your environment uses vSphere Virtual Machine Encryption, and if an error occurs on the ESXi host, the resulting core dump is encrypted to protect customer data. Core dumps that are included in the vm-support package are also encrypted.
Core Dumps on ESXi Hosts
When an ESXi host, a user world, or a virtual machine fails, a core dump is generated, and the host reboots. If the ESXi host has encryption mode enabled, the core dump is encrypted using a key that is in the ESXi key cache. (Depending on the key provider in use, the key comes from an external key server, the Key Provider Service, or vCenter Server). See How vSphere Virtual Machine Encryption Protects Your Environment for background information.
When an ESXi host is cryptographically "safe," and a core dump is generated, an event is created. The event indicates that a core dump occurred along with the following information: world name, occurring times, keyID of the key used to encrypt the core dump, and core dump filename. You can view the event in the Events viewer under Tasks and Events for the vCenter Server.
The following table shows encryption keys used for each core dump type, by vSphere release.
Core Dump Type | Encryption Key (ESXi 6.5) | Encryption Key (ESXi 6.7 and Later) |
---|---|---|
ESXi Kernel | Host Key | Host Key |
User World (hostd) | Host Key | Host Key |
Encrypted Virtual Machine (VM) | Host Key | Virtual Machine Key |
- In most cases, the key provider attempts to push the key to the ESXi host after reboot. If the operation is successful, you can generate the vm-support package and you can decrypt or re-encrypt the core dump. See Decrypt or Re-Encrypt an Encrypted Core Dump.
- If vCenter Server cannot connect to the ESXi host, you might be able to retrieve the key. See Resolve Missing Encryption Key Issues.
- If the host used a custom key, and that key differs from the key that vCenter Server pushes to the host, you cannot manipulate the core dump. Avoid using custom keys.
Core Dumps and vm-support Packages
When you contact VMware Technical Support because of a serious error, your support representative usually asks you to generate a vm-support package. The package includes log files and other information, including core dumps. If your support representatives cannot resolve the issues by looking at log files and other information, they might ask you to decrypt the core dumps and make relevant information available. To protect sensitive information such as keys, follow your organization's security and privacy policy. See Collect a vm-support Package for an ESXi Host That Uses Encryption.
Core Dumps on vCenter Server Systems
A core dump on a vCenter Server system is not encrypted. vCenter Server already contains potentially sensitive information. At the minimum, ensure that the vCenter Server is protected. See Securing vCenter Server Systems. You might also consider turning off core dumps for the vCenter Server system. Other information in log files can help determine the problem.
Collect a vm-support Package for an ESXi Host That Uses Encryption
If host encryption mode is enabled for the ESXi host, any core dumps in the vm-support package are encrypted. You can collect the package from the vSphere Client, and you can specify a password if you expect to decrypt the core dump later.
The vm-support package includes log files, core dump files, and more.
Prerequisites
Inform your support representative that host encryption mode is enabled for the ESXi host. Your support representative might ask you to decrypt core dumps and extract relevant information.
Procedure
Decrypt or Re-Encrypt an Encrypted Core Dump
You can decrypt or re-encrypt an encrypted core dump on your ESXi host by using the crypto-util CLI.
You can decrypt and examine the core dumps in the vm-support package yourself. Core dumps might contain sensitive information. Follow the security and privacy policy for your organization to protect sensitive information such as keys.
Prerequisites
The key that was used to encrypt the core dump must be available on the ESXi host that generated the core dump.