Under certain circumstances, the ESXi host's encryption mode can become disabled.

An ESXi host requires that host encryption mode is enabled if it contains any encrypted virtual machines. If the host detects it is missing its host key, or if the KMS cluster is unavailable, the host might fail to enable the encryption mode. vCenter Server generates an alarm when the host encryption mode cannot be enabled.

Procedure

  1. If the problem is the connection between the vCenter Server system and the KMS cluster, an alarm is generated and the following message appears in the event log:
    Host requires encryption mode enabled and the KMS cluster is not available.
    You must manually check for the keys in the KMS cluster, and restore the connection to the KMS cluster.
  2. If keys are missing, an alarm is generated and the following message appears in the event log:
    Host requires encryption mode enabled and the key is not available on the KMS cluster.
    You must manually recover the missing keys to the KMS cluster.