Dell VxRail:如何收集啟用 TPM 安全性的 VxRail 節點的復原金鑰
Summary: 本文提供如何收集已使用 TPM 初始化之 VxRail 節點的復原金鑰,以及如何安全開機的選項。這是在 VxRail 系統外安全匯出至啟用 TPM 系統的重要資訊,因為在更換主機板等維修活動期間可能需要這些金鑰。
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
收集 TPM 加密的方法有多種,以下是幾個建議,可在系統安裝時 (已啟動 TPM) 或主動更換之前主動執行此操作。
根據 VMware 說明文件中有關如何列出 ESXi 安全性組態復原
內容金鑰的整體官方參考範例: 列出 Secure ESXi 組態復原金鑰
儲存 zip、擷取腳本,然後從 PowerShell/PowerCLI 提示執行,選項如下:
根據 VMware 說明文件中有關如何列出 ESXi 安全性組態復原
內容金鑰的整體官方參考範例: 列出 Secure ESXi 組態復原金鑰
[root@host1] esxcli system settings encryption recovery list
Recovery ID Key
-------------------------------------- ---
{2DDD5424-7F3F-406A-8DA8-D62630F6C8BC} 478269-039194-473926-430939-686855-231401-642208-184477-602511
-225586-551660-586542-338394-092578-687140-267425 為運用 PowerCLI 的大型叢集收集和匯出 TPM 復原金鑰的替代方案,可能是附加的腳本,其使用率如下範例所示。
儲存 zip、擷取腳本,然後從 PowerShell/PowerCLI 提示執行,選項如下:
- -vCenter 參數必須作為 vCenter 的 IP 或 FQDN 提供
- -需要提供 vcuser 參數,應為系統管理員層級的使用者
- -vcpassword 參數是選用的,如果沒有提供,則指令檔會提示/要求 (此功能更安全,但在我的實驗室中更輕鬆地測試以新增密碼)
注意:當主機已經離線時,沒有任何魔力可以擷取金鑰,當所有主機都連線時,這是一種主動式工具。
PS C:\powercli> .\GetTPMRecoveryKeys.ps1 -vcenter *.*.*.* -vcuser administrator@vsphere.local -vcpassword *****
∞ Connecting to provided vCenter x.x.x.x
∞
√ Connected to:
√
√ VCName VCVersion
√ ------ ---------
√ x.x.x.x 7.0.2
√
√
∞ - RDC
∞
∞ - cl01
∞ - esx01.rdc
∞ - Recovery ID:{xxxxxxx-9E3B-42A7-xxxxxxx-E4C180E8BACA}
∞ - Recovery Key:193974-212191-679120-487809-200490-163047-653307-xxxxxxx-044591-621531-432739-xxxxxxx-174648-394385-669925-174640
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx02.rdc
∞ - Recovery ID:{xxxxxxx-3DB9-4F8C-xxxxxxx-EC91E9782290}
∞ - Recovery Key:293832-328901-118681-432237-492188-375446-689739-076446-xxxxxxx-330911-097690-348733-350329-xxxxxxx-619754-501857
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx03.rdc
∞ - Recovery ID:{xxxxxxx-B4E4-4B1A-xxxxxxx-F71DBB81B6E7}
∞ - Recovery Key:430023-424502-371384-341740-xxxxxxx-709307-578925-153259-682162-231900-583516-122672-xxxxxxx-304009-275146-701353
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx04.rdc
∞ - Recovery ID:{xxxxxxx-5420-4CCE-xxxxxxx-F5DDBDB06889}
∞ - Recovery Key:167431-630730-230210-359626-580397-199776-xxxxxxx-577309-191925-221351-191861-xxxxxxx-622205-047984-206484-018858
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx05.rdc
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞ - esx06.rdc
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞ - esx07.rdc
∞ - Recovery ID:{xxxxxxx-E916-41DE-xxxxxxx-0EFA439CAAA6}
∞ - Recovery Key:347578-144805-170128-170921-xxxxxxx-184321-229917-051564-128587-493711-367190-xxxxxxx-682683-335612-344600-352356
∞ - Mode: TPM
∞ - Require Executables Only From Installed VIBs: true
∞ - Require Secure Boot: true
∞ - esx08.rdc
∞ - No Key retrieved, Validate TPM settings/config if its expected:
∞ - Mode: NONE
∞ - Require Executables Only From Installed VIBs: false
∞ - Require Secure Boot: false
∞
∞ Do u wish to export the results as csv (TPMKeysExport.csv)? write y and enter to export.: y
∞ Exporting TPMKeysExport.csv in the script directory.
√ All done.
完整設定叢集的範例:
圖 1:完整設定叢集的範例:
Additional Information
- 請參閱 VMware 文章,使用 可信賴平臺模組保護 ESXi 主機
- 請參閱 VMware 文章, TPM 密封原則概觀
- 請參閱 VMware 文章, 列出 ESXi 安全性組態復原的內容金鑰
Affected Products
VxRail Appliance FamilyProducts
VxRail Appliance Series, VxRail SoftwareArticle Properties
Article Number: 000204006
Article Type: How To
Last Modified: 21 Nov 2025
Version: 9
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.