From vSphere 7.0 Update 2 and onwards VMware encurage you to make a backup of your host encryptions keys, when you are using TPM. https://kb.vmware.com/s/article/81661
Here is a script that will make it easy for you if you cannot be bothered with logging in to each host using SSH.
The script will list all hosts and their keys for safe keeping.
Import-Module VMware.PowerCLI
Connect-VIServer <vCenter>
$VMHosts = get-vmhost | Sort-Object
foreach ($VMHost in $VMHosts) {
$esxcli = Get-EsxCli -VMHost $VMHost
try {
$key = $esxcli.system.settings.encryption.recovery.list()
Write-Host "$VMHost;$($key.RecoveryID);$($key.Key)"
}
catch {
}
}