As a VMware administrator, I recently encountered the “TPM Encryption Recovery Key Backup Alarm” in vCenter while managing my ESXi hosts. This alarm message is prompted when a host containing a TPM 2.0 device is not able to decrypt its configuration files during boot-up. If you have not backed up your TPM encryption recovery key, you may encounter issues such as a purple screen of death (PSOD) or failed boot-ups. In this blog post, I will discuss the reasons why this issue occurs and provide a solution to backup your TPM encryption recovery key using PowerCLI.
Reasons for the “TPM Encryption Recovery Key Backup Alarm”
——————————————————–
The “TPM Encryption Recovery Key Backup Alarm” is prompted when a host containing a TPM 2.0 device cannot decrypt its configuration files during boot-up. This can occur due to several reasons, including:
* Clearing the TPM: If you have accidentally cleared the TPM, it will no longer be able to decrypt the configuration files, leading to the alarm message.
* Failed TPM device: If your TPM device has failed, it will not be able to decrypt the configuration files, resulting in the alarm message.
* Replaced motherboard: If you have replaced the motherboard of your ESXi host, it may not be able to decrypt the configuration files if the new motherboard does not support TPM 2.0.
Solution – Backing up your TPM Encryption Recovery Key using PowerCLI
——————————————————————-
To avoid encountering issues due to the “TPM Encryption Recovery Key Backup Alarm,” it is essential to backup your TPM encryption recovery key. You can use PowerCLI to easily capture all of your TPM Recovery Keys for easy archiving. Here’s a short PowerCLI script that you can use:
“`powershell
Connect-VIServer -Name
$recoveryKey = Get-EsxiHost -Name
Export-Csv -Path “C:RecoveryKeys.csv” -NoTypeInformation -InputObject $recoveryKey
“`
This script interrogates each VMware ESXi host connected within the VMware vCenter Server and lists its current encryption mode, whether or not enforcement of execInstalledOnly is enabled, whether or not UEFI Secure Boot is required, the recovery ID, and the recovery key. The output should be similar to the following:
“`
RecoveryMode : Enabled
ExecInstalledOnlyEnforced : False
UEFISecureBootRequired : False
RecoveryID : 0x12345678
RecoveryKey :
“`
If you would like to capture this information for backup purposes (as VMware recommends), you can easily add an `| Export-Csv filename.csv` option to the last line of the script to capture the data in a file. For example, to save the recovery keys to a file named “RecoveryKeys.csv,” you can use the following command:
“`powershell
Connect-VIServer -Name
$recoveryKey = Get-EsxiHost -Name
Export-Csv -Path “C:RecoveryKeys.csv” -NoTypeInformation -InputObject $recoveryKey
“`
Best Practices for Backing up your TPM Encryption Recovery Key
—————————————————————
To ensure that you can easily recover your ESXi host’s configuration files in case of a failure, it is essential to store the recovery key securely and privately. Here are some best practices for backing up your TPM encryption recovery key:
* Store the recovery key in a secure location: You should store the recovery key in a secure location, such as an encrypted file or a hardware security module (HSM).
* Keep the recovery key private: Do not share the recovery key with anyone, as it can be used to access your ESXi host’s configuration files.
* Update your archive regularly: As you replace or add new ESXi hosts, be sure to update your archive regularly to reflect any changes in your TPM encryption recovery keys.
Conclusion
———-
In conclusion, the “TPM Encryption Recovery Key Backup Alarm” is a critical issue that can occur when managing VMware ESXi hosts containing TPM 2.0 devices. To avoid encountering issues and ensure that you can easily recover your ESXi host’s configuration files, it is essential to backup your TPM encryption recovery key using PowerCLI. By following the best practices outlined in this blog post, you can ensure that your TPM encryption recovery key is securely stored and privately kept.