Troubleshooting

Key Generation Error During Encryption

If vSphere Virtual Machine encryption or VMware VSAN encryption fails with the error "Cannot generate key", check the following:

  • The HyTrust KeyControl appliance must be powered on and operational. To verify this, log into the appliance using the KeyControl webGUI.
  • The HyTrust KMIP server must be enabled as described in Configuring a KMIP Server.
  • The KeyControl nodes must be able to communicate with one another. Make sure the server status is not shown as Degraded in the KeyControl webGUI.
  • The KMIP client certificate and private key must be valid and current. You can verify the certificate status in the KeyControl webGUI on the KMIP Servers Users tab or in the vCenter Web Client on the KMS tab. For details about creating a new certificate and key, see Establishing a Trusted Connection with a vSphere-Generated CSR or Establishing a Trusted Connection with a KeyControl-Generated CSR.
  • If the vCenter Web Client reports that the KMIP connection status is Normal (green) but encryption fails, the KMS cluster could have been added with a user name and password. To verify this:
    1. Check the HyTrust DataControl Audit log for the message "KMIP response rate OperationFailed DENIED".
    2. If you find that message, edit the properties of the HyTrust KMS cluster in the vCenter Web Client and remove any user name or password.

  • If the KeyControl cluster is functioning properly and the certificates are valid but the vCenter Web Client reports that the HyTrust KMS is not connected, log into the vCenter Web Client and navigate to the KMS tab. Select the HyTrust KMS, then select All Actions > Refresh KMS certificate.

    If that does not work, you may need to remove the KMS instance and re-add it to vCenter in order to restore the Trusted connection. Select the HyTrust KMS in vSphere Web Client and select All Actions > Remove KMS. Then add the KMS back as described in Creating the KMS Cluster in vSphere.

  • If everything shows as connected but encryption still fails, use the vCenter Web Client to verify that encryption is enabled for the ESXi host using ESXi-server-name > Configure > Security Profile > Host Encryption Mode.

Certificate Update Errors

If you try to update the KMS certificate for a KeyControl KMIP Server and vSphere responds with the error message:

The "Update KMS Certificate" operation failed for the entity with the following error message.

Database temporarily unavailable or has network problems.

There may be too many certificates for that HyTrust KMS in the database. Use the PSC Certificate Store to remove any stale certificates for the KMIP server. For details, see your vSphere documentation.