Gathering core dump files when encryption is enabled

One of the key new features of vSphere 6.5 is vSphere VM Encryption, a mechanism to encrypt all virtual machine files. This mechanism not only encrypts the VMDK, but also the metadata files and core dumps associated with a VM. Now, there would not be much point in sending an encrypted core dump file to VMware for analysis, so a mechanism has been put in place to allow these files to be recrypted using a password before sending them to VMware. The password can then be shared with VMware to allow us to examine the core dumps.  This is how you would do it.

vm-support

Let’s begin with a simple vm-support. On an ESXi 6.5 host that has encryption enabled, you will see the following when trying to gather a log bundle from the commands line:

root@esxi-dell-e:~] vm-support 
WARNING:root:Command did not succeed because encryption mode was enabled for the host, but the vm-support incident key is missing.
To collect useful coredumps, perform these tasks:
1. Generate a vm-support incident key by running:
crypto-util keys vm-support —password prolog
2. Run vm-support:
vm-support [options]
3. Perform cleanup:
crypto-util keys vm-support epilog

[root@esxi-dell-e:~]

The instructions here are quite straight forward. They are listed in the output and are also covered in KB article 2147388. This process now includes a file – vm-support-incident-key – in the top most level of the vm-support log bundle. This file contains the “incident key” which is encrypted/wrapped via the specified password. Any core dumps that are found encrypted by the vm-support, will be recrypted/rekeyed with the “incident key”. Encrypted core dumps in the host support bundle that were recrypted/rekeyed can be now be decrypted anywhere that the crypto-util is accessible (such as inside VMware) so long as the password is known.

Export ESXi host logs from web client

One can also provide a password for this recryption of core dumps via the web client. When gathering logs from a single ESXi host, the password prompt will appear on the wizard pop up screen:

Export VC and ESXi host logs from web client

And of course the same step is available when exporting logs from VC, and you are  including multiple ESXi host logs as well. In this case, you must first select the ESXi hosts that you wish to gather the logs from, click next and then set the password on the “Select logs” window pop up:

Something to keep in mind when you have encryption enabled, and you need to send logs to VMware technical support.

2 Replies to “Gathering core dump files when encryption is enabled”

  1. Hi,
    Which type of encryption is used and what is the bit length?
    Thanks for your update.
    ~ andreas

Comments are closed.