You can generate new Key Encryption Keys (KEKs) for your VMware Cloud on AWS cluster if needed.

This process is known as performing a shallow rekey. Changing the CMK or DEKs is not supported. If you must change the CMK or DEKs, create a new cluster and migrate your VMs and data to it

Procedure

  1. Log in to the vSphere Client for your cloud SDDC.
  2. Navigate to the vSAN cluster.
  3. Click the Configure tab.
  4. Under vSAN, select Services.
  5. Click Generate New Encryption Keys.
  6. Click Apply to generate a new KEKs.
    The Disk Encryption Keys (DEKs) are re-encrypted with the new KEKs.

Example: Using VMware PowerCLI for this Task

If you know the cloudadmin password, you can use a PowerCLI command like this one to do a shallow re-key for the vSAN service. This example, based the Vsan-EncryptionRekey.psl code sample you can download from https://code.vmware.com/samples/2200#code, re-keys the vSAN service running on Cluster-1 of SDDC vCenter vcenter.sddc-54-200-165-35.vmwarevmc.com: 

PS > ./Vsan-EncryptionRekey.psl -vCenter vcenter.sddc-54-200-165-35.vmwarevmc.com -User
      [email protected] -Password cloudadmin-password -ReKey shallow -ClusterName Cluster-1