As part of your regular key rotation plans, you can use PowerCLI to update a vSphere Native Key Provider.

If you have a policy for key rotation, you can update the vSphere Native Key Provider and rekey the virtual machines that you encrypted with that key provider. You must use PowerCLI to update the vSphere Native Key Provider. You can also rekey the encrypted virtual machines without updating the key provider. In this case, only the virtual machine keys are changed. To rekey a virtual machine, see Rekey an Encrypted Virtual Machine Using the vSphere Client.


  • Required privilege: Cryptographic operations.Manage key servers
  • PowerCLI 12.3.0


  1. In a PowerCLI session, run the Connect-VIServer cmdlet to connect as an administrator user to the vCenter Server where you configured the vSphere Native Key Provider that you want to update.
    Connect-VIServer -server VC_ip_address -User admin_user -Password 'password'
  2. To get your vSphere Native Key Provider names, run the Get-KeyProvider cmdlet with the optional Type parameter.
    Get-KeyProvider -Type NativeKeyProvider
  3. To update the key provider, run the Set-KeyProvider cmdlet, specifying your key provider name and GUID.
    You can generate a GUID to use by running the New-Guid cmdlet.
    Set-KeyProvider -KeyProvider KeyProvider_name -KeyId Guid
    A warning appears about backing up the configuration.
  4. To back up the key provider, run the Export-KeyProvider cmdlet.
    Export-KeyProvider -KeyProvider KeyProvider_name -FilePath path_file_name

    You can also back up the key provider using the vSphere Client. See Back up a vSphere Native Key Provider.


When a key provider is updated, its status changes to Not Backed Up. After you back up the key provider, its status changes to Active.