VxRail: How to Gather the Recovery Keys for TPM Security Enabled VxRail Nodes
Summary: This article provides options on how to gather the recovery keys for VxRail nodes that have been initialized with Trusted Platform Module (TPM) and secure boot. This is critical information to be exported safely outside the VxRail system for TPM enabled systems as these keys may be needed during service activities such as system board replacements. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
There are multiple ways to gather the TPM encryption, below are a couple suggestions that may help to do this proactively when a system gets installed with TPM activated or prior to a proactive replacement.
The overall official reference for this is per VMware documentation on how to List the Contents of the Secure ESXi Configuration Recovery Key.
Example: List the Secure ESXi Configuration Recovery Key.
[root@host1] esxcli system settings encryption recovery list
Recovery ID Key
-------------------------------------- ---
{2DDD5424-7F3F-406A-8DA8-D62630F6C8BC} 478269-039194-473926-430939-686855-231401-642208-184477-602511
-225586-551660-586542-338394-092578-687140-267425
An alternative to gather and export the TPM recovery keys for large clusters leveraging PowerCLI could be the attached script with usage per below example.
Save the .zip, extract the script, and run from a PowerShell/PowerCLI prompt with the below options:
-vcenterparam must be provided as IP or FQDN of your vCenter-vcuserparam must be provided which should be an admin level user-vcpasswordparam is optional, if not provided then the script prompts for it (it is more secure like this but in my lab, it is easier for testing to add the password)
NOTE: There is no magic that can retrieve the key when the host is already offline, this is a proactive tool when all hosts are online.
PS C:\powercli> .\GetTPMRecoveryKeys.ps1 -vcenter *.*.*.* -vcuser administrator@vsphere.local -vcpassword *****
∞ Connecting to provided vCenter x.x.x.x
∞
√ Connected to:
√
√ VCName VCVersion
√ ------ ---------
√ x.x.x.x 7.0.2
√
√
∞ - RDC
∞
∞ - cl01
∞ - esx01.xxxx
∞ - Recovery ID:{xxxxxxx-9E3B-42A7-xxxxxxx-E4C180E8BACA}
∞ - Recovery Key:193974-212191-679120-487809-200490-163047-653307-xxxxxxx-044591-621531-432739-xxxxxxx-174648-394385-669925-174640
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx02.xxxx
∞ - Recovery ID:{xxxxxxx-3DB9-4F8C-xxxxxxx-EC91E9782290}
∞ - Recovery Key:293832-328901-118681-432237-492188-375446-689739-076446-xxxxxxx-330911-097690-348733-350329-xxxxxxx-619754-501857
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx03.xxx
∞ - Recovery ID:{xxxxxxx-B4E4-4B1A-xxxxxxx-F71DBB81B6E7}
∞ - Recovery Key:430023-424502-371384-341740-xxxxxxx-709307-578925-153259-682162-231900-583516-122672-xxxxxxx-304009-275146-701353
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx04.xxx
∞ - Recovery ID:{xxxxxxx-5420-4CCE-xxxxxxx-F5DDBDB06889}
∞ - Recovery Key:167431-630730-230210-359626-580397-199776-xxxxxxx-577309-191925-221351-191861-xxxxxxx-622205-047984-206484-018858
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx05.xxx
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞ - esx06.xxx
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞ - esx07.xxx
∞ - Recovery ID:{xxxxxxx-E916-41DE-xxxxxxx-0EFA439CAAA6}
∞ - Recovery Key:347578-144805-170128-170921-xxxxxxx-184321-229917-051564-128587-493711-367190-xxxxxxx-682683-335612-344600-352356
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx08.xxx
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞
∞ Do u wish to export the results as csv (TPMKeysExport.csv)? write y and enter to export.: y
∞ Exporting TPMKeysExport.csv in the script directory.
√ All done.
An example for a fully configured cluster:
Figure 1: An example for a fully configured cluster:
Additional Information
- See VMware article, Securing ESXi Hosts with the Trusted Platform Module
- See VMware article, TPM Sealing Policies Overview
- See VMware article, List Content Keys for ESXi Security Configuration Recovery
Affected Products
VxRail Appliance Family, VxRail Appliance Series, VxRail G Series Nodes, VxRail D Series Nodes, VxRail D560, VxRail D560F, VxRail E Series Nodes, VxRail E460, VxRail E560, VxRail E560F, VxRail E560N, VxRail E660, VxRail E660F, VxRail E660N
, VxRail E665, VxRail E665F, VxRail E665N, VxRail G560, VxRail G560F, VxRail P Series Nodes, VxRail P470, VxRail P570, VxRail P570F, VxRail P580N, VxRail P670F, VxRail P670N, VxRail P675F, VxRail P675N, VxRail S Series Nodes, VxRail S470, VxRail S570, VxRail Software, VxRail V Series Nodes, VxRail V470, VxRail V570, VxRail V570F, VXRAIL V670F, VxRail VD-4510C, VxRail VD-4520C, VxRail VD Series Nodes, VxRail VE-660, VxRail VE-6615, VxRail VP-760, VxRail VP-7625
...
Attachments
Article Properties
Article Number: 000204006
Article Type: How To
Last Modified: 21 Nov 2025
Version: 9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.