→ Applies to: VMware ESXi 7.0.3P (19193900) and above

Starting from VMware ESXi 7.0.3P (19193900), the configuration is encrypted. If you need to extract and decrypt the configuration stored in state.tgz file, you must connect to the physical hardware where the configuration is stored.

You cannot perform the following steps on a machine different than the VMware one, because the encryption key is locally stored.

Step 1. Connect to ESXI via SSH as root

ssh root@<your_ip_address_or_hostname>

Step 2. Create a new temporary folder

mkdir -p /tmp/state

Step 3. Extract the compressed configuration archive

tar x -f /bootbank/state.tgz -C /tmp/state

Step 4. Identify the encryption keyID (KEY_ID)

KEY_ID=`crypto-util envelope describe local.tgz.ve 2>&1 | grep keyID | awk -F "'" '{print $2}'`

Step 5. Decrypt the archive

crypto-util envelope extract --aad ESXConfiguration /tmp/state/local.tgz.ve /tmp/state/local.tgz

Step 6. Create an additional temporary folder

mkdir /tmp/state/local

Step 7. Extract files

tar x -f /tmp/state/local.tgz -C /tmp/state/local

The configuration will be extracted within "/tmp/state/local" folder.