If the ESXi host cannot get the key (KEK) from vCenter Server for an encrypted virtual machine or an encrypted virtual disk, the encrypted VM becomes locked. After you make the keys available on the KMS, you can unlock a locked encrypted virtual machine.
Under certain circumstances when using a standard key provider, the ESXi host cannot get the key encryption key (KEK) for an encrypted virtual machine or an encrypted virtual disk from vCenter Server. In that case, you can still unregister or reload the virtual machine. However, you cannot perform other virtual machine operations such as powering on the virtual machine. After taking the necessary steps to make the required keys available on the KMS, you can unlock a locked encrypted virtual machine by using the vSphere Client.
The disk [/path/to/the/disk.vmdk] is encrypted and a required key was not found.