VxRail: How to gather the recovery keys for TPM security enabled VxRail nodes
Summary: This article provides options on how to gather the recovery keys for VxRail nodes that have been initialized with TPM and secure boot. This is critical information to be exported safely outside the VxRail system for TPM enabled systems as these keys may be needed during service activities such as system board replacements. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
There are multiple ways to gather the TPM encryption, below are a couple suggestions that may help to do this proactively when a system gets installed with TPM activated or prior to a proactive replacement.
The overall official reference for this is per VMware documentation on how to List Content Keys for ESXi Security Configuration Recovery
Example: List the Secure ESXi Configuration Recovery Key
Save the zip, extract the script and run from a PowerShell/PowerCLI prompt with below options:
The overall official reference for this is per VMware documentation on how to List Content Keys for ESXi Security Configuration Recovery
Example: List the Secure ESXi Configuration Recovery Key
[root@host1] esxcli system settings encryption recovery list
Recovery ID Key
-------------------------------------- ---
{2DDD5424-7F3F-406A-8DA8-D62630F6C8BC} 478269-039194-473926-430939-686855-231401-642208-184477-602511
-225586-551660-586542-338394-092578-687140-267425 An alternative to gather and export the TPM recovery keys for large clusters leveraging PowerCLI could be the attached script with usage per below example.
Save the zip, extract the script and run from a PowerShell/PowerCLI prompt with below options:
- -vcenter param needs to be provided as IP or FQDN of your vCenter
- -vcuser param needs to be provided which should be an admin level user
- -vcpassword param is optional, if not provided then the script will prompt/ask for it (its more secure like this but in my lab its easier for testing to add the password)
NOTE: There is no magic that can retrieve the key when the host is already offline , this is a proactive tool when all hosts are online.
PS C:\powercli> .\GetTPMRecoveryKeys.ps1 -vcenter *.*.*.* -vcuser administrator@vsphere.local -vcpassword *****
∞ Connecting to provided vCenter x.x.x.x
∞
√ Connected to:
√
√ VCName VCVersion
√ ------ ---------
√ x.x.x.x 7.0.2
√
√
∞ - RDC
∞
∞ - cl01
∞ - esx01.rdc
∞ - Recovery ID:{xxxxxxx-9E3B-42A7-xxxxxxx-E4C180E8BACA}
∞ - Recovery Key:193974-212191-679120-487809-200490-163047-653307-xxxxxxx-044591-621531-432739-xxxxxxx-174648-394385-669925-174640
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx02.rdc
∞ - Recovery ID:{xxxxxxx-3DB9-4F8C-xxxxxxx-EC91E9782290}
∞ - Recovery Key:293832-328901-118681-432237-492188-375446-689739-076446-xxxxxxx-330911-097690-348733-350329-xxxxxxx-619754-501857
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx03.rdc
∞ - Recovery ID:{xxxxxxx-B4E4-4B1A-xxxxxxx-F71DBB81B6E7}
∞ - Recovery Key:430023-424502-371384-341740-xxxxxxx-709307-578925-153259-682162-231900-583516-122672-xxxxxxx-304009-275146-701353
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx04.rdc
∞ - Recovery ID:{xxxxxxx-5420-4CCE-xxxxxxx-F5DDBDB06889}
∞ - Recovery Key:167431-630730-230210-359626-580397-199776-xxxxxxx-577309-191925-221351-191861-xxxxxxx-622205-047984-206484-018858
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx05.rdc
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞ - esx06.rdc
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞ - esx07.rdc
∞ - Recovery ID:{xxxxxxx-E916-41DE-xxxxxxx-0EFA439CAAA6}
∞ - Recovery Key:347578-144805-170128-170921-xxxxxxx-184321-229917-051564-128587-493711-367190-xxxxxxx-682683-335612-344600-352356
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx08.rdc
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞
∞ Do u wish to export the results as csv (TPMKeysExport.csv)? write y and enter to export.: y
∞ Exporting TPMKeysExport.csv in the script directory.
√ All done.
An example for fully configured cluster:
Figure 1: An example for fully configured cluster:
Additional Information
- See VMware article, Securing ESXi Hosts with the Trusted Platform Module
- See VMware article, TPM Sealing Policies Overview
- See VMware article, List Content Keys for ESXi Security Configuration Recovery
Affected Products
VxRail Appliance Series, VxRail E660N, VxRail SoftwareProducts
VxRail Appliance FamilyAttachments
Article Properties
Article Number: 000204006
Article Type: How To
Last Modified: 11 Nov 2024
Version: 8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.