In an encrypted Virtual SAN cluster, when communication between a host and the KMS is lost, the disk group can become locked if the host reboots.


Virtual SAN locks a host's disk groups when the host reboots and it cannot get the KEK from the KMS. The disks behave as if they are unmounted. Objects on the disks become inaccessible.

You can view a disk group's health status on the Disk Management page in the vSphere Web Client. An Encryption health check warning notifies you that a disk is locked.


Hosts in an encrypted Virtual SAN cluster do not store the KEK on disk. If a host reboots and cannot get the KEK from the KMS, Virtual SAN locks the host's disk groups.


To exit the locked state, you must restore communication with the KMS and reestablish the trust relationship.