PowerCLI: TPM Encryption Recovery Key Backup

FromvSphere 7.0 Update 2 and onwards VMware encurage you to make a backup of your host encryptions keys, when you are using TPM. https://kb.vmware.com/s/article/81661

Here is a script that will make it easy for you if you cannot be bothered with logging in to each host using SSH.

The script will list all hosts and their keys for safe keeping.

Import-Module VMware.PowerCLI
Connect-VIServer <vCenter>

$VMHosts = get-vmhost | Sort-Object

foreach ($VMHost in $VMHosts) {
    $esxcli = Get-EsxCli -VMHost $VMHost
    try {
        $key = $esxcli.system.settings.encryption.recovery.list()
        Write-Host "$VMHost;$($key.RecoveryID);$($key.Key)"
    }

    catch {
        
    }
}

One thought on “PowerCLI: TPM Encryption Recovery Key Backup”

  1. Handy script – thanks!

    Just to note that you’ll get warned about use of a deprecated cmdlet interface (script still runs OK). Here’s the -v2 cmdlet version, only two minor changes:

    # Updated -V2 cmdlet version
    foreach ($VMHost in $VMHosts) {
    $esxcli = Get-EsxCli -VMHost $VMHost -V2
    try {
    $key = $esxcli.system.settings.encryption.recovery.list.invoke()
    Write-Host “$VMHost;$($key.RecoveryID);$($key.Key)”
    }

    catch {

    }
    }

Leave a Reply

Your email address will not be published. Required fields are marked *