An administrator attempts to enable vSAN Data-at-Rest Encryption on a cluster but receives the following...

The administrator must validate that the vSphere Native Key Provider has been backed up. When a Native Key Provider is created, vCenter pushes the key provider configuration to clustered ESX hosts, but the provider is not usable for encryption tasks until it has been backed up. The documentation states that after adding a Native Key Provider, it appears as not backed up, and that it must be backed up before use. The backup process changes the provider status from Not Backed Up, to Warning while vCenter propagates information to hosts, and then to Active when the information has been pushed to all hosts. A TPM 2.0 device is not required when using Native Key Provider with default settings, although TPM can provide enhanced security and can optionally be enforced. Crypto Safe Mode and disabling Secure Boot are not prerequisites for enabling vSAN Data-at-Rest Encryption with NKP. Therefore, the validation step is to confirm that the NKP backup has been created and the provider is active on the hosts. Reference topics: vSphere Native Key Provider, Back Up Native Key Provider, vSAN Data-at-Rest Encryption, Key Provider Availability.