How to Enable Secure Boot in VMware ESXi

Servers April 1, 2025
boot Vmware ESxi

Given the increasing threats to cybersecurity, ensuring protection of your VMware ESXi hosts from unauthorized boot and firmware attacks is necessary. One of the best methods to secure your ESXi environment is through Secure Boot configuration.

Secure Boot validates that only trusted, digitally signed code is executed during the booting process, eliminating the risks of rootkits, bootkits, and other forms of malware interfering with the ESXi hypervisor.

In this guide, we’ll walk you through enabling Secure Boot on ESXi, checking its status, and troubleshooting common issues.

What is Secure Boot in ESXi?

Secure Boot is a UEFI (Unified Extensible Firmware Interface) feature that verifies the integrity of the bootloader and OS kernel using cryptographic signatures.

How Does Secure Boot Work in ESXi?

  1. UEFI Firmware Verification: The system verifies that all boot components are signed and trusted.
  2. ESXi Kernel Integrity Check: VMware ESXi only loads modules and drivers that are properly signed.
  3. Malware Prevention: Secure Boot blocks unauthorized code from executing at boot.

Benefits of Enabling Secure Boot in ESXi

  • Prevents Boot-Level Attacks: Blocks unauthorized kernel modules and rootkits.
  • Ensures Kernel Integrity: Only signed VMware and vendor drivers/modules are loaded.
  • Complies with Security Standards: Required for compliance with security frameworks like CIS, NIST, and PCI DSS.
  • No Performance Impact: Secure Boot does not slow down your system.

Step 1: Check If Secure Boot Is Enabled on ESXi

Before enabling Secure Boot, check if it’s already active.

Method 1: Check Secure Boot Status via ESXi Shell

  1. SSH into the ESXi host or access the ESXi Direct Console Interface (DCUI).
  2. Run the following command: bashCopyEditesxcli system settings encryption get
  3. Look for Secure Boot Status:
    • Enabled → Secure Boot is active.
    • Disabled → Secure Boot is turned off.

Method 2: Check Secure Boot in vSphere Client

  1. Open the vSphere Web Client.
  2. Navigate to Host > Configure > Security Profile.
  3. Under the Secure Boot section, check the status.

📌 If Secure Boot is disabled, proceed to the next steps to enable it.

Step 2: Enable Secure Boot in ESXi

Secure Boot requires UEFI firmware. If your server is using Legacy BIOS mode, you must switch to UEFI first.

1. Enable UEFI Boot Mode in BIOS

  1. Reboot the ESXi Host and enter the BIOS/UEFI settings (usually by pressing F2, Del, or Esc during startup).
  2. Navigate to the Boot Settings or Advanced Boot Options.
  3. Change Boot Mode from Legacy to UEFI.
  4. Save and Exit BIOS.

2. Enable Secure Boot in UEFI

  1. Re-enter the BIOS/UEFI settings.
  2. Find the Secure Boot option under Security or Boot Configuration.
  3. Set Secure Boot Mode to Enabled.
  4. Save changes and reboot the ESXi host.

Step 3: Verify Secure Boot in ESXi After Enabling

After enabling Secure Boot, confirm that it is working correctly.

Check Secure Boot via ESXi Shell

  1. SSH into the ESXi host.
  2. Run: bash
    esxcli system settings encryption get
  3. You should see Secure Boot: Enabled.

Verify Secure Boot Using vSphere Client

  1. Open the vSphere Web Client.
  2. Go to Host > Configure > Security Profile.
  3. Check the Secure Boot status—it should say Enabled.

📌 If Secure Boot is still disabled, check the BIOS settings again and ensure UEFI mode is enabled.

Step 4: Troubleshooting Common Issues

If Secure Boot fails to enable, consider these fixes:

Issue 1: Secure Boot Option is Missing in BIOS

🔹 Fix: Update your server’s firmware to the latest version.

Issue 2: ESXi Fails to Boot After Enabling Secure Boot

🔹 Fix:

  • Ensure UEFI firmware is enabled.
  • Some third-party drivers may not be signed—check and replace them with VMware-certified drivers.

Issue 3: Secure Boot is Enabled, but ESXi Still Shows It as Disabled

🔹 Fix:

  • Reboot ESXi and enter the BIOS again.
  • Disable and then re-enable Secure Boot.

Step 5: Ensure All ESXi Components are Secure Boot Compatibl

To prevent boot issues, make sure all drivers, modules, and VIBs (VMware Installation Bundles) are signed.

Check Installed VIBs for Secure Boot Compatibility

Run:

bash
esxcli software vib list | grep -i "unsigned"

If you see any unsigned VIBs, update them with signed versions or remove them.

Remove Unsigned VIBs

bash
esxcli software vib remove -n VIB_NAME

Update ESXi to the Latest Version

Keeping ESXi updated ensures secure boot compatibility and patches known security vulnerabilities.

bash
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml --profile ESXi-8.x-XXXXXX

Step 6: Enable TPM for Additional Security

For stronger security, enable Trusted Platform Module (TPM) alongside Secure Boot.

Enable TPM in BIOS

  1. Restart the ESXi host and enter the BIOS.
  2. Go to Security Settings.
  3. Enable TPM (Trusted Platform Module).
  4. Save and exit BIOS.

Check TPM Status in ESXi

Run:

bash
esxcli hardware trustedboot get

If TPM is enabled, it will show TPM: Active.

🔹 Why Enable TPM?

  • TPM stores cryptographic keys securely.
  • Prevents tampering and unauthorized changes to ESXi.
  • Required for vSphere 8 security features.

Conclusion

One of the key ways to combat boot level attacks on your virtual infrastructure is enabling Secure Boot in VMware ESXi. Best code integrity practices ensure no rootkits, malware or other forms of non-permissive code modification supplant authorized modification.

Quick Summary of Steps:

1: Review current status of Secure Boot.
2: Change BIOS to UEFI mode.
3: Set Secure Boot in the UEFI menu.
4: Check the status of Secure Boot in ESXi.
5: Restrict bootable media to signed VIBs only.
6: Set TPM to on.

By following this guide, your ESXi hosts will be more secure and compliant with modern cybersecurity best practices.

FAQs

1. Can I enable Secure Boot on an existing ESXi installation?

Yes! You just need to switch to UEFI mode in BIOS and enable Secure Boot. However, ensure that all drivers and modules are signed to avoid boot issues.

2. Does Secure Boot impact ESXi performance?

No, Secure Boot does not affect ESXi performance—it only verifies the integrity of boot components.

3. Can I disable Secure Boot after enabling it?

Yes, you can disable Secure Boot anytime by changing the UEFI settings in BIOS. However, this reduces security.

4. Does Secure Boot require a TPM module?

No, but enabling TPM (Trusted Platform Module) adds additional security benefits.

You may also like...

Power Up Your Hosting with MainVPS!

Get blazing-fast, secure, and reliable VPS & Web hosting at unbeatable prices. Whether you’re a developer, business owner, or reseller, MainVPS has the perfect plan for you!