In an encrypted vSAN cluster, when communication between a host and the KMS is lost, the disk group can become locked if the host reboots.


vSAN locks a host's disk groups when the host reboots and it cannot get the KEK from the KMS. The disks behave as if they are unmounted. Objects on the disks become inaccessible.

You can view a disk group's health status on the Disk Management page in the vSphere Web Client. An Encryption health check warning notifies you that a disk is locked.

Hosts in an encrypted vSAN cluster do not store the KEK on disk. If a host reboots and cannot get the KEK from the KMS, vSAN locks the host's disk groups.


To exit the locked state, you must restore communication with the KMS and reestablish the trust relationship.