At this customer we use the vSphere native key provider (NKP) as the key provider for the vSAN datastores. After upgrading the vCenter to 8.0U1 we encountered this error on all the vSAN Clusters.

We then proceeded to the vSAN Skyline health to see what’s the inconsistency was about;

As stated the DEK is encrypted with an out of date KEK. Skyline has a nice button to fix the inconsistency under the ” How to troubleshoot and Fix”

If we clicked the button we got this message;

But, we did not upgrade a host yet so there is no new diskformat. So the warning is kind of strange. But we decided to push the button (no guts no glory), but after a few minuts and “Reconfigure vSAN tasks” the error still remains.

Fortunately vSAN pointed us in the right direction with the error message ” The DEK’s needs to be re-encrypted with the new KEK”.

(more information; Generate New Data-At-Rest Encryption Keys (

The new keys can be generated via vSAN-Services-Data services

It’s not necessary to re-encrypt al the data on the storage so we can just generate new keys for the DEKs

After completion (few minuts) skyline health error was gone and we proceeded to upgrade the clusters via VLCM.

The original article was posted on:

Related articles

  • Cloud Native
  • Application Navigator
  • Kubernetes Platform
  • Digital Workspace
  • Cloud Infrastructure
  • ITTS (IT Transformation Services)
  • Managed Security Operations
  • Multi-Cloud Platform
  • Backup & Disaster Recovery
Visit our knowledge hub
Visit our knowledge hub
Ruud Harreman Virtualization Consultant

Let's talk!

Knowledge is key for our existence. This knowledge we use for disruptive innovation and changing organizations. Are you ready for change?

"*" indicates required fields

First name*
Last name*