Disk Group Becomes Locked

In an encrypted Virtual SAN cluster, when communication between a host and the KMS is lost, the disk group can become locked if the host reboots.

Problem

Virtual SAN locks a host's disk groups when the host reboots and it cannot get the KEK from the KMS. The disks behave as if they are unmounted. Objects on the disks become inaccessible.

You can view a disk group's health status on the Disk Management page in the vSphere Web Client. An Encryption health check warning notifies you that a disk is locked.

Cause

Hosts in an encrypted Virtual SAN cluster do not store the KEK on disk. If a host reboots and cannot get the KEK from the KMS, Virtual SAN locks the host's disk groups.

Solution

To exit the locked state, you must restore communication with the KMS and reestablish the trust relationship.