Under certain circumstances, the ESXi host's encryption mode can become disabled.

An ESXi host requires that host encryption mode is enabled if it contains any encrypted virtual machines. If the host detects it is missing its host key, or if the key provider is unavailable, the host might fail to enable the encryption mode. vCenter Server generates an alarm when the host encryption mode cannot be enabled.

Procedure

  1. If the problem is the connection between the vCenter Server system and the key provider, an alarm is generated and an error message appears in the event log.
    You must manually check for the keys in the key provider, and restore the connection to the key provider.
  2. If keys are missing, an alarm is generated and an error message appears in the event log.
    You must manually recover the missing keys to the key provider.

What to do next

If, after restoring connection to the key provider, or manually recovering keys to the key provider, the host's encryption mode remains disabled, re-enable the host encryption mode. See Re-Enable ESXi Host Encryption Mode.