Resolve ESXi Host Encryption Mode Issues

Under certain circumstances, the ESXi host's encryption mode can become deactivated.

An ESXi host requires that host encryption mode is activated if it contains any encrypted virtual machines. If the host detects it is missing its host key, or if the key provider is unavailable, the host might fail to activate the encryption mode. vCenter Server generates an alarm when the host encryption mode cannot be activated.

Procedure

If the problem is the connection between the vCenter Server system and the key provider, an alarm is generated and an error message appears in the event log.
You must restore the connection to the key provider that contains the encryption keys in question.
If keys are missing, an alarm is generated and an error message appears in the event log.
You must ensure that the keys are present in the key provider. Consult the documentation for your key management vendor for information about restoring from backup.

What to do next

If, after restoring connection to the key provider, or manually recovering keys to the key provider, the host's encryption mode remains deactivated, re-activate the host encryption mode. See Re-Activate ESXi Host Encryption Mode.