When using a real KMS, the guidance would always be to have the KMS appliance VM hosted on a server outside a vSAN cluster that you are encrypting.
Is there confirmation that when using the Native Key Provider, this guidance no longer holds? I.e. I can now use the vSAN cluster’s vCenter to provide the NKP to encrypt that same cluster?
I did cold boot a node (the one with the VCSA) in an NKP-encrypted cluster, which came back up without issue.