When a Data Encryption policy is applied to a device, the Endpoint Security Agent uses encryption keys to encrypt and decrypt files. The following sections explain concepts that can help you better manage the encryption keys for your Management Zone.
A Management Zone can have one or more encryption keys. At any one time, however, there is only one active key. The active key is used to encrypt new files. The non-active keys are retained in order to decrypt files that were encrypted when the non-active keys were the active keys.
For example, assume that Key1 is the active key. All Endpoint Security Agents use Key1 to encrypt files. You then generate a new key, Key2, which automatically becomes the active key. After Key2 is distributed to devices (during an agent refresh), the Endpoint Security Agent uses it to encrypt new files. The agent uses Key1 to open any files encrypted with that key, then updates the files to the active key (Key2).
Encryption keys are specific to Management Zones. This means that a file encrypted in one zone cannot be opened on a device registered in another zone because the two zones do not automatically share keys.
If you have multiple zones and want to enable devices in all zones to open encrypted files regardless of the zone in which they were encrypted, you can manually share encryption keys by exporting them from one zone and importing them into another. For instructions, see Exporting Encryption Keys and Importing Encryption Keys.
If your organization’s policies include a requirement for regularly changing encryption keys, you can generate and activate a new key. After doing so, force an agent refresh to immediately distribute the new key to devices. For instructions, see Generating a New Encryption Key.