Information
The ESXi host must not store encryption keys on ESXi hosts without securing physical access to the hosts. Key Persistence is a mechanism that uses a local Trusted Platform Module (TPM) to store Standard Key Provider keys, usually found only in an external Key Management System (KMS). While this setup can improve management of dependencies, using Key Persistence changes the encryption risks. If an attacker steals the host, they will have access to the encryption keys for data on that host, bypassing the access controls of the external KMS. Therefore, Key Persistence should be used only when the physical security of the hosts is assured. If the physical hosts are not secure and an attacker can steal the host, they will also have the means to access and use encrypted workloads. Key Persistence and Native Key Provider are often conflated because both store encryption data on hosts. However, the Native Key Provider does not use Key Persistence, so turning off Key Persistence won't affect it. Like Key Persistence, the Native Key Provider also requires careful consideration of physical security, as outlined in the 'design-8.native-key-provider' and 'design-8.hardware-physical-security' controls.
Solution
$ESXcli = Get-EsxCli -VMHost $ESXi -V2
$arguments = $ESXcli.system.security.keypersistence.disable.CreateArgs()
$arguments.removeallstoredkeys = $true
$ESXcli.system.security.keypersistence.disable.Invoke($arguments)