Symptoms:

• vSAN health reports vSAN cluster configuration consistency issue
• vSAN cluster shows below error in skyline health  after disabling the encryption "Remediate Cluster task fails (Encryption was enabled on disk level but disabled from cluster level)".
• The encryption was enabled at disk level and disabled from cluster level. 

Command to check the encryption on disk level : esxcli vsan storage list | grep -i encryption 

To view the cluster level encryption status please follow the below steps : 

1. Navigate to the vSAN host cluster in the vSphere Web Client.
2. Click the Configure tab.
3. Under vSAN, select General.
4. In the vSAN is turned ON pane, click the Edit button.
5. On the Edit vSAN settings dialog, check the Encryption check box.

VMware vSphere 7.x
VMware vSphere 8.x

The Issue will occur if vSAN encryption is disabled without selecting "Allow reduce redundancy" option for vSAN cluster running with minimum number of hosts and running low on storage space.

In "Allow Reduced Redundancy"  option, disk group recreation will be performed without evacuating the disk group.

The table shows the minimum host required for different RAID type. 

Steps to resolve the issue : 

• Navigate to vSAN Cluster > Configure > Skyline health > Click on REMEDIATE  with Allow Reduce Redundancy.
• Wait for the task to complete.

Note: 

Always back up your data before making any changes to encryption settings.
The cluster should be in a healthy state with no outstanding issues in skyline health that need resolution prior disabling encryption 

To be alerted when this article is updated, follow KB Subscribe to a Broadcom knowledge article

vSAN Cluster Configuration Consistency

vSAN Data-At-Rest Encryption