In vSphere environments with VM Encryption or vTPM-enabled virtual machines, you may encounter the following error when attempting to power on a virtual machine after a reboot of ESXi hosts or vCenter:

A general system error occurred: Unable to decrypt the ciphertext. Failed to decrypt the key

This error typically occurs when the ESXi host loses access to the Host Encryption Key after a reboot. Even if the Key Management Server (KMS) connection is healthy, the vCenter Server may retain stale encryption metadata, leading it to believe the ESXi host still has the required key — preventing the host from re-acquiring it via vCenter.

As a result, the ESXi host cannot decrypt encrypted virtual machines, leaving them in a locked or invalid state.

VMware vSphere 7.x
VMware vSphere 8.x

vCenter falsely believed the ESXi hosts still had their Host Encryption Key, but the hosts had lost it post-reboot. 
This mismatch blocked key re-acquisition from the KMS, causing VM decryption failures.

Implement the resolution from Alert: Host requires encryption mode enabled. Manually recover the missing key