Werner, thanks for your note. I'm really hoping I don't have to do anything that extensive, and that maybe I'm just worrying too much. I have found that I can change the key on the ESXi hosts, and that all the VMs indicate they are keyed with the new NKP. I guess I'm just worried that the VMs can no longer be encrypted if I change the keys on all of the hosts, even if the correct NKP is up and running, and will end up in a locked state. I am hoping to get an answer if the TPM module can hold the KEKs for more than one NKP, and encrypt VMs based on the NKP specified, even if it's not the same NKP encrypting the host's data.
Original Message:
Sent: Mar 10, 2025 03:28 AM
From: Werner Zeller
Subject: ESXi host keys and Native Key Provider
Hi Mdrugge,
thanks, I worked around the problem by reinstalling the vCenter. I was then able to recreate NKP and simply "backup" it without errors.
Thanks, and have a good week!!!!!!!
Best regards
Werner
Original Message:
Sent: Mar 09, 2025 06:44 PM
From: mdrudge
Subject: ESXi host keys and Native Key Provider
So we have a cluster using a Native Key Provider to encrypt some VMs on vSphere 8. This cluster previously had a different NKP that was deleted several months ago, however the ESXi hosts themselves have not been re-keyed or rebooted, and are still attached to the old NKP. Since that time, quite a number of VMs have been created with the new NKP. Will those new VMs have problems if the ESXi host keys are re-generated? I'm assuming these Host keys are for the protection of the ESXi host itself, and separate from the key derivation key on the hosts? And that the TPM would have KDKs for each NKP installed on a cluster? I just want to make sure I don't render these new VMs unusable by cleaning this stuff up. Thanks!