vCenter Server requires a Key Management Service (KMS) for enabling VM Encryption, vTPM, or vSAN Encryption. Users have the choice of configuring the embedded Native Key Provider (NKP) built into vCenter Server and/or use an external KMS with the Standard Key Provider (SKP) option.
If you have more than one KMS configured in vCenter Server, you can specify one of the KMS key providers to be your default, which will automatically be used for any KMS-related activities. You can switch between the default KMS key provider and you can certainly specify a specific KMS key provider when using the vSphere API to provision a VM that will leverage VM encryption.
So how do you figure out which KMS key provider a VM is using?
For VM Encryption usage, you can use the vSphere UI and expand the Encryption section for a specific VM and you can see the KMS key provider as shown in the screenshot below:
For vTPM usage, the vSphere UI does NOT provide anything under the Encryption section that points to the specific KMS key provider that is used as shown in the screenshot below:
Luckily, we can use the vSphere API to retrieve the specific KMS key provider for a VM that is using either VM Encryption and/or vTPM by looking at the keyId property for a VM, which applies to both VM Encryption and vTPM-based VMs.
To demonstrate the vSphere API, I have created a very simple PowerCLI script called vm-to-kms-association.ps1 which will list all registered KMS key providers for the connected vCenter Server and then list all applicable VMs and their associated KMS key provider as well as KeyID as shown in the screenshot below.
The vCenter VM summary page shows which KMS/NKP that have been used for vTPM encryption, at least in 8U3d (configuration encrypted with XXXX)
Yup, this is mentioned in blog post and vSphere API can be used to understand this at scale, especially for vTPM (which doesn't have anything in UI)