The removeKey and removeKeys methods delete key(s) from vCenter Server, but they do not delete keys from the KMS. Key lifecycle is managed entirely from the KMS, where stake keys persist. You can invoke the listKeys method to show keys in use on the vCenter Server, but there is currently no method to query whether a specific key is in use.The force parameter of removeKey and removeKeys should be used judiciously. With the force option, the removeKey and removeKeys methods delete key(s) from both the vCenter Server and ESXi hosts, even if the key is currently in use. The result can leave virtual machines in a locked state until the key is replaced. The use case for the force option is for customers to prevent a key from being used anywhere, after it was compromised or expired.If you call removeKey on an ESXi host, even without the force option, the key gets deleted from the host’s key cache, and the encrypted virtual machine becomes unusable. ESXi hosts do not track which keys are in use. Rebooting the ESXi host causes vCenter Server to push all keys to the host again, but the virtual machine may not be fully recoverable from its failed state.The registerVM_Task method can rename a virtual machine at registration time. If you assign a new name to an encrypted virtual machine, registration will fail. The workaround is to split the operation into multiple steps. For example, register first then rename, or to prevent a name collision, rename the old registered virtual machine and then register the new one.