Resolve ESXi Host Encryption Mode Issues

Under certain circumstances, the ESXi host's encryption mode can become disabled.

An ESXi host requires that host encryption mode is enabled if it contains any encrypted virtual machines. If the host detects it is missing its host key, or if the KMS cluster is unavailable, the host might fail to enable the encryption mode. vCenter Server generates an alarm when the host encryption mode cannot be enabled.

Procedure

If the problem is the connection between the vCenter Server system and the KMS cluster, an alarm is generated and an error message appears in the event log.
You must restore the connection to the KMS cluster that contains the encryption keys in question.
If keys are missing, an alarm is generated and an error message appears in the event log.
You must ensure that the keys are present in the KMS cluster. Consult the documentation for your key management vendor for information about restoring from backup.

What to do next

If, after restoring connection to the KMS cluster, or manually recovering keys to the KMS cluster, the host's encryption mode remains disabled, re-enable the host encryption mode. See Re-Enable ESXi Host Encryption Mode.