How to recover a forgotten root password in ESXi 7.x and ESXi 8.x

If you forget the root password for ESXi, VMware recommends that you reinstall ESXi. In small environments that do not have automated rollouts and central profiles, you will need to configure everything manually. Alternatively, you can use an unofficial method to reset the password. If you are managing ESXi through vCenter, you can reset the password using a privileged account in vCenter. Also, having the ESXi host as a member of an AD domain can be a big help. If these options are not available, you cannot reset the password of a standalone host because the system stores the password hash in an encrypted configuration file that cannot be decrypted without root access. For this reason, the old method of booting the host from Linux and directly editing the configuration file no longer works after ESXi 6.x.

Alternative solution using virtual hosting

The method here involves setting up a second (virtual) host and transferring the key from the main host to it. This allows you to extract the configuration and change the password hash in the SQLite database. To do this, you need to mount the boot media of both the physical and virtual hosts externally, as you cannot overwrite the configuration file while the system is running and the system will reject the changes on the next boot. A Linux system is suitable for accessing the ESXi configuration; using a live CD is the easiest way.

Installing a virtual ESXi

To edit the ESXi configuration of a physical host, you need another ESXi host with the exact same version for which you have not forgotten the password.

Create a new virtual machine, select Other as the guest operating system, and select the ESXi version you want to install.

Then go to the Customize Settings page, in the Virtual Hardware => CPU section, enable the Expose hardware-assisted virtualization to the guest OS option.

Finally, mount the ESXi installation ISO file as a DVD drive and enable the Connect at power on option. You must first upload this file to the ESXi host via Storage => Datastore Browser => Upload.

Taking a backup of state.tgz

The next step is to backup the state.tgz file on the physical host. This file stores persistent configuration data that the host needs to restore its state on the next boot.

This file contains the hash of the forgotten password and the key used to encrypt the local.tgz file inside it.

If you booted the host from USB (not recommended by VMware), disconnect it and connect it to a Windows computer. If the host boots from the internal disk, boot it into a Linux environment via the external drive and mount partition 6, which is formatted FAT, to /mnt, for example:
mount /dev/sdb6 /mnt

Then the file /mnt/bootbank/state.tgz to a local disk (if writable) or to a network drive using standard Linux tools such as SCP-1811 Or ftp Copy. It is also recommended to make a backup copy of this file.

Copy state.tgz to virtual ESXi

Next, copy the backup file to the directory /tmp Migrate the virtual ESXi host, for example with SCP-1811. If the file is on a Windows computer, the command might look like this:

scp "C:\temp\state.tgz" [email protected]:/tmp/state.tgz

tar -zxvf state.tgz

cp /bootbank/state.tgz /tmp/state.tgz
cd /tmp
tar -xzf state.tgz
rm state.tgz
vmtar -x local.tgz -o local.tar
tar -xf local.tar
rm local.tar
cp /tmp/encryption.info etc/vmware/
vmtar -c local.tar etc/vmware -o local.tgz
mv local.tgz state-mod.tgz

scp [email protected]:/tmp/state-mod.tgz "C:\temp\state-mod.tgz"

fdisk -l

scp "C:\temp\state-mod.tgz" [email protected]:/home/thomas/state-mod.tgz

sudo su
mkdir -p /bootbank1
mkdir -p /bootbank2
mount /dev/sdc5 /bootbank1
mount /dev/sdc6 /bootbank2
cp /home/thomas/state-mod.tgz /bootbank1/state.tgz
cp /home/thomas/state-mod.tgz /bootbank2/state.tgz
umount /bootbank1
umount /bootbank2

cd /tmp
cp /bootbank/state.tgz ./
tar -xzf state.tgz
rm state.tgz
vmtar -x local.tgz.ve -o local.tgz

tar -zxvf local.tgz

/tmp/var/lib/vmware/configstore/backup/current-store-1

/usr/lib/vmware/sqlite/bin/sqlite3 /tmp/var/lib/vmware/configstore/backup/current-store-1 "select * from config where Component='esx' and ConfigGroup = 'authentication' and Name = 'user_accounts' and Identifier = 'root'"

openssl passwd -6

/usr/lib/vmware/sqlite/bin/sqlite3 /tmp/var/lib/vmware/configstore/backup/current-store-1 "update config set UserValue='"name":"root","password_hash":"$6$s6ic82Ik$ER28x38x.1umtnQ99Hx9z0ZBOHBEuPYneedI1ekK2cwe/jIpjDcBNUHWHw0LwuRYJWhL3L2ORX3I5wFxKmyki1","description":"Administrator"' where Component='esx' and ConfigGroup = 'authentication' and Name = 'user_accounts' and Identifier = 'root'"

vmtar -c etc .ssh var -o local.tgz
vmtar -c local.tgz -o local.tgz.ve
tar -czf state-recover.tgz local.tgz.ve

sudo su
mkdir -p /bootbank1
mkdir -p /bootbank2
mount /dev/sdb5 /bootbank1
mount /dev/sdb6 /bootbank2
cp /root/state-recover.tgz /bootbank1/state.tgz
cp /root/state-recover.tgz /bootbank2/state.tgz
umount /bootbank1
umount /bootbank2