Post-Power Outage: VMs on vSAN Datastore Show in an Invalid Status
search cancel

Post-Power Outage: VMs on vSAN Datastore Show in an Invalid Status

book

Article ID: 403869

calendar_today

Updated On:

Products

VMware vSAN

Issue/Introduction

Symptoms:

  • After a power outage, all disks report the following error:
    "Disk encrypted and locked due to the encryption key not being available. Check the status of KMS servers configured for the cluster and ensure the encryption key can be retrieved."
  • There is no cluster partition detected.
  • All the VMs on the vSAN datastore show invalid:
  • vCenter VM also not running as it was also running on the vSAN datastore.
  • Running esxcli vsan debug object health summary get returns no object details, as all vSAN objects are encrypted and currently inaccessible.
  • From the KMS configuration (esxcli vsan encryption kms list), the output indicates that vCenter Native Key Provider (NKP) is being used. The host shows both the kekid and hostkeyid:

  • Below image shows the native key provider used:

  • Attempting to retrieve the vSAN encryption key via the key cache on the host also fails—no key data is returned.

  • After restoring vCenter from backup, the skyline health shows the below error:

  • The KMS cluster is unable to get the KMS status:

Environment

VMware vSAN 7.x

VMware vSAN 8.x

Cause

Because the vSAN is using native key encryption, and as the vCenter is down, the ESXi hosts are unable to reach to the NKP server to retrieve the keys to unlock the disk group.

After restoring the vCenter from backup, checked the kmx logs under /var/run/log on the host and found that the host was unable to fetch the key details from the vCenter.

2025-07-03T14:58:09.516Z Er(163) kmxa[2098822] [Originator@6876 sub=Libs opID=resolveKey-52d8cfea-a162-fd7c-7574-xxxxxxxxxxxx-1456] Import key locator on 525054cc-8282-ef46-9a00-xxxxxxxxxxxx failed: Exported key locator is invalid.
2025-07-03T14:58:09.525Z Er(163) kmxa[2098820] [Originator@6876 sub=Libs opID=resolveKey-52d8cfea-a162-fd7c-7574-xxxxxxxxxxxx-1457] Import key locator on 778fbea9-7199-4635-8ab0-xxxxxxxxxxxx failed: Exported key locator is invalid.

Resolution

In this scenario, we would need to bring the vCenter back up by restoring it from backup.

Once vCenter is up, we would need to fix the issue with the NKP server connectivity by fixing the certificate issues.

Check if the customer has a backed up NKP configuration file present. If so, we can restore the server from backup and the connectivity will be restored.

Once the connectivity is restored, the VMs will all be back to normal state.

Powered by Wolken Software