Tags: ESXi agent access break glass home lab real stories
← Back to all posts
May 12, 2026 · 4 min read · Real World

I locked myself out of my hypervisor at 2am. My agent had the spare key.

It was 2am. I tried to log into the ESXi host that runs everything important in my house. The password didn't work. I checked my password manager twice. Still no. I sat there for a second and then I just texted my agent. Sixty seconds later I was back in. This is the story, but more importantly, it's the case for giving your agents the keys you hope you will never need.

Charcoal sketch of a founder at a basement desk at 2am with a glowing server rack behind showing a red padlock icon, his phone glowing in deep purple in the foreground with a single message bubble drifting upward toward a small floating key, burnt sienna accent on the locked server screen

The host is the ESXi box in my basement. It runs the home network's important VMs. If I am locked out of it, I am locked out of half of my own infrastructure. The kind of lockout where you are calculating which cables to unplug, which terminal to plug a keyboard into, and how loud the server is going to be at 2am when your wife is asleep upstairs.

I had reset the password earlier in the day. I saved it. I tried it. It did not work. Maybe a paste went wrong. Maybe one of the special characters got mangled between my password manager and the login prompt. The actual cause does not matter. What matters is that the door I expected to open was closed.

So I opened Telegram and said, "fuck I locked myself out of my ESXi host, can you change the password for the root account for me? do you have that access?"

Why the answer was yes

Two weeks ago I made a small decision that paid for itself last night. I provisioned a second account on the ESXi host. It is not me. It is a service account named after one of my AI agents, and it has Administrator role on the host. The account exists so that the agent can spin up VMs and manage them without me being in the loop. That same account turned out to be exactly the break-glass access I needed when my own credential failed.

The reply came back immediately. Yes, the agent had access. The agent verified auth was live, confirmed the API endpoint for the change, and asked one question. Did I want to supply the new password, or have the agent generate a strong random one and send it back. I said generate. Five seconds later there was a new password in my Telegram, the rotation had returned success, and I was logging into the web UI.

Total time from "fuck I'm locked out" to "I'm in" was about ninety seconds. Most of that was me typing.

This is what break-glass access is for

In big-company security language, this is called break-glass access. You set up a second high-privilege account, you almost never use it, but it is there in case the primary credential fails. Banks have them. Hospitals have them. Most small businesses do not, because most small businesses do not have anybody whose job it is to think about that scenario.

If your business is small enough that you are the only person who can recover from a critical lockout, you have a single point of failure problem, and the single point is you. Forget vacations. Forget a flu. Forget the fact that you might be on a flight when the lockout happens. The lockout will happen on the worst possible night, because most lockouts happen at 2am after you have already had a long day.

What changed for me is that the second account does not have to be a second person. It can be your agent. Give it the access it needs, scoped to the systems you want it to recover, and it becomes the thing you reach for at 2am when you would have otherwise spent the next two hours on the floor of your basement with a keyboard plugged into the wrong port.

The setup is twenty minutes

The version of this you can do tonight is small. Pick the most important system you administer. Identify the place where a second admin account would have saved you the last time something went wrong. Create that account. Hand it to your agent or to a trusted second person if you do not have an agent yet. Document where the credential lives and how to rotate the primary using it.

That is it. There is no big architecture project. Twenty minutes of work. It is the kind of thing that does nothing for you ninety-nine days out of a hundred, and on the hundredth day it saves your entire night.

The bigger thing this is part of

Every week my agents save me a chunk of time that would have been two to five hours of figuring something out alone. This week it was the hypervisor lockout. The other day it was the unfamiliar charge from Bangalore on my card that the agent traced back to my own toolbox in thirty seconds. The day before that it was a stranger at my front door at 8pm and the agent had pulled the doorbell footage, transcribed the conversation, and given me the full report by the time my wife told me about it.

None of these are catastrophes. They are the medium-friction problems that small business owners absorb without thinking, because there is nobody else to absorb them. Each one used to cost me half a night or most of an afternoon. Now they cost ninety seconds and a Telegram exchange. The compounding of that, across a year, is what real automation actually feels like.

It is not a robot taking your job. It is a digital colleague who happens to be awake, has the spare key, and remembers what the right command is at 2am when you do not.

← Back to all posts