Tags: ESXi agent access break glass home lab real stories
← Back to all posts
May 12, 2026 · 4 min read · Real World

I locked myself out of my hypervisor at 2am. My agent had the spare key.

It was 2am. I tried to log into the ESXi host that runs everything in my house. The password did not work. I checked my password manager twice. Still no. I sat there for a beat. Then I just texted my agent. Sixty seconds later I was back in. This is the story. The point: give your agents the keys you hope you will never need.

Charcoal sketch of a founder at a basement desk at 2am with a glowing server rack behind showing a red padlock icon, his phone glowing in deep purple in the foreground with a single message bubble drifting upward toward a small floating key, burnt sienna accent on the locked server screen

The host is the ESXi box in my basement. It runs the home network's key VMs. If I am locked out of it, I am locked out of half my own setup. The kind of lockout where you are doing math. Which cables to unplug. Which terminal to plug a keyboard into. How loud the server will be at 2am when your wife is asleep upstairs.

I had reset the password earlier in the day. I saved it. I tried it. It did not work. Maybe a paste went wrong. Maybe a special char got mangled between my password manager and the login prompt. The cause does not matter. The door I expected to open was closed.

So I opened Telegram and said, "fuck I locked myself out of my ESXi host, can you change the password for the root account for me? do you have that access?"

Why the answer was yes

Two weeks ago I made a small call that paid for itself last night. I made a second account on the ESXi host. It is not me. It is a service account named after one of my AI agents. It has admin role on the host. The account exists so the agent can spin up VMs and run them without me. That same account turned out to be the break-glass key I needed when my own login failed.

The reply came back fast. Yes, the agent had access. The agent checked auth was live. It found the API call for the change. It asked one question. Did I want to set the new password, or have the agent build a strong random one and send it back? I said build. Five seconds later there was a new password in my Telegram. The rotate had returned success. I was logging into the web UI.

Total time from "fuck I'm locked out" to "I'm in" was about ninety seconds. Most of that was me typing.

This is what break-glass access is for

In big-company security speak, this is called break-glass access. You set up a second high-trust account. You almost never use it. But it is there in case your main login fails. Banks have them. Hospitals have them. Most small shops do not. Because most small shops have no one whose job is to think about that case.

If your shop is small enough that you are the only one who can recover from a key lockout, you have a single point of failure. The point is you. Forget vacations. Forget a flu. Forget the fact that you might be on a flight when the lockout hits. The lockout will hit on the worst night. Most lockouts hit at 2am, after a long day.

What changed for me is that the second account does not have to be a second person. It can be your agent. Give it the access it needs. Scope it to the systems you want it to fix. It becomes the thing you reach for at 2am. Instead of two hours on the basement floor with a keyboard plugged into the wrong port.

The setup is twenty minutes

The version you can do tonight is small. Pick the most key system you run. Find the place where a second admin account would have saved you last time. Make that account. Hand it to your agent. Or to a trusted second person if you do not have an agent yet. Note where the login lives. Note how to rotate the main one using it.

That is it. No big build project. Twenty minutes of work. It is the kind of thing that does nothing for you ninety-nine days out of a hundred. On the hundredth day it saves your whole night.

The bigger thing this is part of

Every week my agents save me a block of time that would have been two to five hours of solo work. This week it was the host lockout. The other day it was the odd charge from Bangalore on my card. The agent traced it back to my own tool kit in thirty seconds. The day before that it was a stranger at my front door at 8pm. The agent pulled the doorbell clip. Read out the chat. Gave me the full read by the time my wife told me about it.

None of these are big events. They are the mid-friction problems that small business owners just absorb. Because there is nobody else to absorb them. Each one used to cost me half a night. Or most of an afternoon. Now they cost ninety seconds and a Telegram swap. The stack of that, across a year, is what real automation feels like.

It is not a robot taking your job. It is a digital co-worker who happens to be awake. Has the spare key. Knows the right command at 2am when you do not.

← Back to all posts