Symptoms:

• You have updated NSX-T from 2.3 to 2.4 or above some time in the past and have had other subsequent upgrades.
• You use a weak passphrase, that is one which is less that 8 characters, no numbers, no upper case or special characters.
• If you need to restore the backup taken with a weak passphrase, this fails with passphrase error:

• In the NSX-T manager /var/log/syslog you can see the following error:

VMware NSX-T Data Center

• In previous versions of NSX-T, prior to NSX-T 2.4 the passphrase could be weak.
• During subsequent upgrades the passphrase was never changed to be a strong passphrase.
• Upgrades do not validate if the passphrase is strong.
• Backups will continue to use the old weak passphrase.
• If you need to restore a backup created with a newer version of NSX-T (2.4 onwards), the appliance requires a strong passphrase when configuring backups, but the backup is created using the weak passphrase.
• Note, this is part of the restore process, deploy a new NSX-T appliance in the required version, (same as backup) and configure backup settings, before you can do the restore.
• Therefore you are unable to restore a backup created in a newer version and encrypted with a weak passphrase.

Currently, there is no resolution.

Workaround:
Prior to upgrades, please check the passphrase used is strong, if unsure change it to be a strong passphrase and create a backup.
The passphrase specified must be at least 8 characters in length and must contain at least one lowercase, one uppercase, one numeric character and one special character (any other non-space character).
If you read this article and you are unsure you are affected, please change the passphrase and make sure you are using a strong passphrase.