After moving vSAN to a new KMS  provider or a Native Key Provider (NKP) there are alarms in vSAN health for key not available.

vSAN with Data at Rest Encryption (All versions) 

During the key provider change a shallow rekey was not preformed on the vSAN cluster. 
This is causing the new key provider to not have the expected keys. 

Do NOT reboot or make any changes to the disk groups in this condition. 

Manually preform a shallow rekey to generate new KEK keys from the new key provider on the vSAN cluster by following the steps in Generate New Encryption Keys

Confirm the alarms relate to encryption keys not available are no longer triggered in the vSAN health check.