Host encryption mode is activated automatically when a user performs an encryption task, if the user has sufficient privilege. After host encryption mode is activated, all core dumps are encrypted to avoid the release of sensitive information to support personnel. If you no longer use virtual machine encryption with an ESXi host, you can deactivate encryption mode.

After encryption mode is activated for an ESXi host, you might need to deactivate it. For example, you might need to deactivate encryption mode to generate an ESXi support bundle (using the vm-support command). Using the Host Encryption mode toggle (Host > Configure > Security Profile > Edit Host Encryption Mode) does not work when key material exists on the host.

You can use the API to deactivate host encryption mode by invoking the CryptoManagerHostDisable API method.

The crypto modes, or states, defined for an ESXi host are:

  • pendingIncapable: The host is crypto deactivated, that is, the host cannot perform vSphere Virtual Machine Encryption operations.
  • incapable: The host is not safe for receiving sensitive material.
  • prepared: The host is prepared for receiving sensitive material but does not have a host key set yet.
  • safe: The host is crypto safe (activated), and has a host key set, that is, vSphere Virtual Machine Encryption operations are possible.

After you invoke CryptoManagerHostDisable on a host, the crypto state of the host changes as follows:

  • If the original host crypto state is incapable or prepared, the host crypto state is changed to incapable.
  • If the original host crypto state is safe, the host crypto state is changed to pendingIncapable.
  • If the host crypto state is pendingIncapable, the host crypto state is still pendingIncapable.

This task shows how to deactivate host encryption mode by using the vCenter Server Managed Object Browser (MOB). For more information about using the API, see the vSphere Web Services API documentation at https://developer.vmware.com/apis/968/vsphere.

Procedure

  1. Log in to the vCenter Server as an administrator.
  2. Unregister all encrypted virtual machines from the ESXi host whose encryption mode you want to deactivate.
  3. Access the MOB on the vCenter Server. 
    https://vcenter_server/mob
  4. Invoke the CryptoManagerHostDisable method on a host.
    1. Under content name, click content.
    2. Under rootFolder, click group-D1 (Datacenters).
    3. Under childEntity, click the appropriate datacenter.
    4. Under hostFolder, click the appropriate host.
    5. Under childEntity, click the appropriate cluster.
    6. Under host, click the appropriate host.
    7. Under configManager, click configManager.
    8. Under cryptoManager, click CryptoManagerHost-number.
    9. Click CryptoManagerHostDisable.
      The host crypto state is changed to either pendingIncapable or incapable, depending on its original crypto state.
  5. Repeat step 4 for other hosts on which you want to deactivate encryption mode.
  6. Reboot the hosts.

Results

Once the host encryption mode is deactivated, you cannot perform encryption operations, such as adding encrypted virtual machines, unless you re-activate the host encryption mode.

Note: After you reboot an ESXi host on which you deactivated encryption mode, if the host crypto state was originally pendingIncapable, the host crypto state is still pendingIncapable. To re-activate host encryption mode, re-access the vCenter Server MOB and invoke the ConfigureCryptoKey API method. When re-activating host encryption mode, use the original host key ID if the host crypto state is pendingIncapable.