The failure is host-specific because the KMS is online and reachable from the other hosts, and those hosts remain healthy with encryption enabled. In vSAN Data-at-Rest Encryption, vCenter works with the external KMS to manage the Key Encryption Key (KEK). ESX hosts use the KEK to unlock the Data Encryption Keys that protect encrypted vSAN disk data. When a host reboots, it must retrieve the required encryption key before encrypted vSAN disk groups can be mounted. If the host’s trust relationship, certificate, or KMS identity relationship is invalid or missing, that host cannot retrieve the key, and its encrypted disk groups remain unmounted. A Deep Rekey changes encryption material but does not repair a broken host-to-KMS trust relationship. Restarting vCenter is not the required fix because other hosts are functioning normally. TPM failure is not the best explanation because the error explicitly states that retrieval from the KMS failed. Reference topics: vSAN Data-at-Rest Encryption, External KMS Trust, Key Retrieval, Encrypted Disk Group Mounting.