At this customer we use the vSphere native key provider (NKP) as the key provider for the vSAN datastores. After upgrading the vCenter to 8.0U1 we encountered this error on all the vSAN Clusters.
We then proceeded to the vSAN Skyline health to see what’s the inconsistency was about;
As stated the DEK is encrypted with an out of date KEK. Skyline has a nice button to fix the inconsistency under the ” How to troubleshoot and Fix”
If we clicked the button we got this message;
But, we did not upgrade a host yet so there is no new diskformat. So the warning is kind of strange. But we decided to push the button (no guts no glory), but after a few minuts and “Reconfigure vSAN tasks” the error still remains.
Fortunately vSAN pointed us in the right direction with the error message ” The DEK’s needs to be re-encrypted with the new KEK”.
(more information; Generate New Data-At-Rest Encryption Keys (vmware.com))
The new keys can be generated via vSAN-Services-Data services
It’s not necessary to re-encrypt al the data on the storage so we can just generate new keys for the DEKs
After completion (few minuts) skyline health error was gone and we proceeded to upgrade the clusters via VLCM.