ESXi

 View Only
  • 1.  Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Posted Sep 01, 2021 04:38 PM

    https://kb.vmware.com/s/article/2043048

    Describes how to manually restore the state.tgz from ESXi.

    However, it seems nowadays the files within are encrypted too (local.tgz.ve). There is also an "encryption.info" file which maybe contains the key? The auto-backup.sh file contains some snippets for decryption. I need to decrypt the files either on another system or backup the files in an unencrypted way.

    Is there any way to do this ? I can manually tinker with the auto-backup.sh file but then I'd also need to backup this somehow.

    The file mentions a feature flag "ESXConfigEncryption" but I don't know where I can set this persistently in order to turn it off.

    Alternatively some command to decrypt the file (ideally on another system) would be useful.

     



  • 2.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Posted Feb 15, 2023 02:12 PM

    Hello, 

     

       did you find a way to decrypt loca.tgz.ve file ? 

     

    Regards



  • 3.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Broadcom Employee
    Posted Feb 15, 2023 06:28 PM

    The following should work:

    crypto-util envelope extract --aad ESXConfiguration local.tgz.ve local.tgz


  • 4.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Posted Feb 15, 2023 09:27 PM

    Hello lamw, 

       Thanks for your answer! 

       In fact,  I'am trying to reset an ESXi root password. 

       I took local.tgz.ve from the  ESXi host were I lost the root password  to another one. 

     

       when trying this: 

    crypto-util ++coreDumpEnabled=false,mem=20 envelope extract --aad ESXConfiguration /TEST/local.tgz.ve /TEST/local.tgz

    I got this error 

    crypto-util envelope: ESXi kernel key cache error searching for '6ae1a702-229b-4ff1-8ebf-ee9d87747871': Not found.

    Do you have any suggestion ? 

     

     

    Regards, 

    MBC



  • 5.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Posted Jan 19, 2024 03:26 PM

    That command only seems to work if it's executed within the ESXi host itself. Is there any way to do this externally for a state.tgz extracted from a crashed or breached ESXi host?



  • 6.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Posted Mar 14, 2024 02:31 PM

    Hello, I really would like to know how to make this command work on none the same ESXi host, since the main purpose of editing state.tgz is to recover root password in case that you forgot it. 

    And you can't login into the esxi host if you don't remember the root password (while you can get state.tgz with local.tgz.ve from boot device)



  • 7.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Broadcom Employee
    Posted Mar 14, 2024 03:20 PM

    Reinstall ESXi or use a Host Profile to reset the root password: https://kb.vmware.com/s/article/1317898

     



  • 8.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Posted Mar 14, 2024 04:21 PM

    That's not really the answer to question regarding how to get into local.tgz.ve 

     

    Let's ask different way. How to restore local.tgz.ve from esxi in case of emergency, when you can get into fat32 filesystem (from different host), but boot fails with corrupted module, so you can't boot into old ESXi?



  • 9.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Posted 27 days ago

    Has there been any more about this? I'm in the same boat.




  • 10.  RE: Decrypt encrypted state.tgz (Update https://kb.vmware.com/s/article/2043048)

    Posted 20 days ago

    same issue here, password of root got changed but was not documented correctly, now we are not able to access the Host anymore. I have followed the instruction with a live-linux but also failed at the encrypted local.tgz.ve file.