FromvSphere 7.0 Update 2 and onwards VMware encurage you to make a backup of your host encryptions keys, when you are using TPM. https://kb.vmware.com/s/article/81661
Here is a script that will make it easy for you if you cannot be bothered with logging in to each host using SSH.
The script will list all hosts and their keys for safe keeping.
Import-Module VMware.PowerCLI
Connect-VIServer <vCenter>
$VMHosts = get-vmhost | Sort-Object
foreach ($VMHost in $VMHosts) {
$esxcli = Get-EsxCli -VMHost $VMHost
try {
$key = $esxcli.system.settings.encryption.recovery.list()
Write-Host "$VMHost;$($key.RecoveryID);$($key.Key)"
}
catch {
}
}
Handy script – thanks!
Just to note that you’ll get warned about use of a deprecated cmdlet interface (script still runs OK). Here’s the -v2 cmdlet version, only two minor changes:
# Updated -V2 cmdlet version
foreach ($VMHost in $VMHosts) {
$esxcli = Get-EsxCli -VMHost $VMHost -V2
try {
$key = $esxcli.system.settings.encryption.recovery.list.invoke()
Write-Host “$VMHost;$($key.RecoveryID);$($key.Key)”
}
catch {
}
}