A VM can be recrypted with new keys, for example, in case a key expires or becomes compromised. The following options are available.
A deep recrypt, which replaces both the Disk Encryption Key (DEK) and Key Encryption Key (KEK).
A shallow recrypt, which replaces only the KEK.
A deep recrypt requires that the VM is powered off and contains no snapshots. A shallow recrypt operation can be performed when the VM is powered on, and if the VM has snapshots present. Shallow recrypt of an encrypted VM with snapshots is permitted only on a single snapshot branch (disk chain). Multiple snapshot branches are not supported. Also, shallow recrypt is not supported on a linked clone of a VM or disk. If the shallow recrypt fails before updating all links in the chain with the new KEK, the encrypted VM can still be accessed as if both the old and new KEKs are available. However, it is best to reissue the shallow recrypt operation before performing any snapshot operations.