• Encryption Management system does not deploy on tenant after publishing
• VMs do not get encrypted with the correct Key Provider
• Cloud Director debug logs shows the full error:

Message setDebug is over limit of 2,000 to insert into database. Original text: failed to encrypt VM '<VM_NAME>': failed to update: The encryption operation failed: The operation is not supported.
        at gitlab.eng.vmware.com/core-build/vcd-addon-byok/byok/vm.(*Encryptor).encryptVcdVm(/opt/src/byok/vm/encryptor.go:386)
        at gitlab.eng.vmware.com/core-build/vcd-addon-byok/byok/vm.(*Encryptor).EncryptVms.func1(/opt/src/byok/vm/encryptor.go:143)
        at gitlab.eng.vmware.com/core-build/vcd-addon-byok/byok/client/vcd.(*ApiQueryRequest[...]).ForEachAll(/opt/src/byok/client/vcd/client_query_api.go:207)
        at gitlab.eng.vmware.com/core-build/vcd-addon-byok/byok/vm.(*Encryptor).EncryptVms(/opt/src/byok/vm/encryptor.go:126)
        at gitlab.eng.vmware.com/core-build/vcd-addon-byok/byok/vm.(*Encryptor).EncryptVdc(/opt/src/byok/vm/encryptor.go:88)
         at gitlab.eng.vmware.com/core-build/vcd-addon-byok/byok/controller/reconciler ...

VMware Cloud Director 10.5.1.1

VMware Cloud Director Availability 4.7.3

VMware Encryption Management plugin 1.2

VMs migrated from non-encrypted state to encrypted by Cloud Director Availability are not encrypted with BYOK-configured encryption key. This is expected behavior due to limitations present in Cloud Director Availability and vSphere Replication.

Recommendation is to perform VM migration to OrgVCD not encrypted by BYOK. Once the migration is complete, encrypt the OrgVDC using BYOK. This will shallow re-encrypt all encrypted VMs with desired KMS and KeyID.

Note: If there is an active VM replication, VM re-encrypt will not change the encryption on the target site. The VM on the target site will be encrypted with KMS / KeyID set at the time replication was set up.