When Ciphertrust Managers ( Key Secures ) loose access to their Corresponding HSM device , they go in an offline state per below

The Certificates for the devices go back to self signed as well ( web-firstboot.keysecure.local ) 

On Reboot you get the normal locked issue of the boot device

When running

ksctl diskenc secureboot -i "Z:\PEMFile" --url https://keysecure --configfile file.yaml 

it might display the below error

Make sure your Yaml file is correct