Host encryption mode is activated automatically when a user performs an encryption task, if the user has sufficient privilege. After host encryption mode is activated, all core dumps are encrypted to avoid the release of sensitive information to support personnel. If you no longer use virtual machine encryption with an ESXi host, you can deactivate encryption mode.
After encryption mode is activated for an ESXi host, you might need to deactivate it. For example, you might need to deactivate encryption mode to generate an ESXi support bundle (using the vm-support command). Using the Host Encryption mode toggle ( ) does not work when key material exists on the host.
You can use the API to deactivate host encryption mode by invoking the CryptoManagerHostDisable API method.
The crypto modes, or states, defined for an ESXi host are:
- pendingIncapable: The host is crypto deactivated, that is, the host cannot perform vSphere Virtual Machine Encryption operations.
- incapable: The host is not safe for receiving sensitive material.
- prepared: The host is prepared for receiving sensitive material but does not have a host key set yet.
- safe: The host is crypto safe (activated), and has a host key set, that is, vSphere Virtual Machine Encryption operations are possible.
After you invoke CryptoManagerHostDisable on a host, the crypto state of the host changes as follows:
- If the original host crypto state is incapable or prepared, the host crypto state is changed to incapable.
- If the original host crypto state is safe, the host crypto state is changed to pendingIncapable.
- If the host crypto state is pendingIncapable, the host crypto state is still pendingIncapable.
This task shows how to deactivate host encryption mode by using the vCenter Server Managed Object Browser (MOB). For more information about using the API, see the vSphere Web Services API documentation at https://developer.vmware.com/apis/968/vsphere.
Procedure
Results
Once the host encryption mode is deactivated, you cannot perform encryption operations, such as adding encrypted virtual machines, unless you re-activate the host encryption mode.