The ESXi's IPsec commands require the encryption/integrity keys be inputted in plaintext from the command line. This is not recommended security practice. The command line history is even logged to /var/log/shell.log.
So how can I hide the keys?
$ esxcli network ip ipsec sa add --help
Usage: esxcli network ip ipsec sa add [cmd options]
Description:
add Add a Security Association.
Cmd options:
-e|--encryption-algorithm=<str>
Encryption algorithm for the Security Association. Should be one
in set [null, 3des-cbc, aes128-cbc]. (required)
-k|--encryption-key=<str>
Encryption key(ASCII or hex). Length of hex key is dependent upon
algorithm used. Required when a encryption algorithm has been
specified.
-i|--integrity-algorithm=<str>
Integrity algorithm for the Security Association. Should be one in
set [hmac-sha1, hmac-sha2-256]. (required)
-K|--integrity-key=<str>
Integrity key(ASCII or hex). Length of hex key is dependent upon
algorithm used. (required)
-d|--sa-destination=<str>
Ipv6 address of Security Association destination. Can be specified
[...]
