From vSphere 7.0 Update 2 and onwards VMware encurage you to make a backup of your host encryptions keys, when you are using TPM. https://kb.vmware.com/s/article/81661
Here is a script that will make it easy for you if you cannot be bothered with logging in to each host using SSH.
The script will list all hosts and their keys for safe keeping. The output is in markdown table format.
Import-Module VMware.PowerCLI
Connect-VIServer vm-vcenter01-p
$VMHosts = get-vmhost | Sort-Object
$firstRun = $true
foreach ($VMHost in $VMHosts) {
$esxcli = Get-EsxCli -VMHost $VMHost
if ($firstRun) {
Write-Host "|Hostname|RecoveryID|Key|"
Write-Host "|-|-|-|"
$firstRun = $false
}
try {
$key = $esxcli.system.settings.encryption.recovery.list()
$recoveryid = $($key.RecoveryID).replace("{","").replace("}","")
Write-Host "|$VMHost|$recoveryid|$($key.Key)|"
}
catch {
}
}