I think B is the correct anaswer: https://blogs.vmware.com/virtualblocks/2018/07/13/understanding-ve-booting-w-vc-unavailable/

I agree with B as per state below vCenter Server requests an AES-256 Key Encryption Key (KEK) from the KMS. vCenter Server stores only the ID of the KEK, but not the key itself. Each ESXi host uses the KEK to encrypt its DEKs, and stores the encrypted DEKs on disk. The host does not store the KEK on disk. If a host reboots, it requests the KEK with the corresponding ID from the KMS. The host can then decrypt its DEKs as needed.

Key is always with Key server, it will be retrieved during need by ESXi host and vcenter

B is correct!

B for sure

B is the correct answer. When encryption is enabled on a vSAN cluster: 1. vCenter Server requests an AES-256 KEK from the KMS. vCenter Server stores only the ID of the KEK. 2. vCenter Server sends the KEK ID to all hosts. 3. Hosts use the KEK ID to request the KEK from the KMS. 4. Hosts create a unique DEK for each drive. 5. The vSAN datastore is encrypted with each drive having its own DEK. 6. KMS generates a single Host Key HEK sent to all hosts in the cluster used for encrypting core dumps. Taken from vSAN 6.7 Deploy and Manage - Encryption Key Generation section

B is the right Answer

I believe B is correct from the link below "The KEK and Host Key are placed in memory in the key cache. These keys are not persistently stored on the vSAN hosts"