• During storage array failover, the virtual machine entered an invalid state after getting registered on the destination vCenter.

• The log entries found in the vCenter Server - /var/log/vmware/vpxd/vpxd.log:

  YYYY-MM-DDTHH:MM:SS.016Z warning vpxd[#####] [Originator@#### sub=CryptoManager opID=########-###-auto-rd-h5:########-##-##] Keys not found for [vim.VirtualMachine:vm-####,####]: ###########/###########/##########################+##+######################+###################+
######/toast,###########/###########/##############################################+###########################################/######.

• The log entries found in the ESXi host - /var/run/log/hostd.log

  YYYY-MM-DDTHH:MM:SS.528Z Wa(164) Hostd[#####]:[Originator@####sub=Vmsvc.vm:/vmfs/volumes/########-########-####-########/####/####.vmx] Caught exception Fault cause: vim.fault.EncryptionKeyRequired

VMware vCenter Server 8.x

The native key provider used to encrypt the virtual machine on the source vCenter is missing in the destination vCenter.

1. Backup the native key provider from the source vCenter.
   • Back up a vSphere Native Key Provider
2. Restore the native key provider in the destination vCenter.
   • Restore a vSphere Native Key Provider Using the vSphere Client
3. Set the restored native key provider as default.
4. Register the virtual machine.
   
   

Note: If the destination vCenter uses a different native key provider, switching the default native key provider will require re-keying the existing virtual machines to avoid any issues.

Steps to Perform a Rekey (Recrypt) Using the vSphere Client: 

1. Log in to the vCenter Server using the vSphere Client.

2. In the inventory, select the encrypted virtual machine.

3. Right-click the VM and select:
   VM Policies > Re-encrypt

4. When prompted, click Yes to proceed.

5. The virtual machine will be rekeyed with the new KEK from the Native Key Provider.

Setting Up Native Key Provider for vCenter Server in Linked Mode