Key management permits you to back up, import, and update an encryption key. We recommend the following key management practices:
Export and save your encryption keys. This ensures that data can be decrypted if there is a systems failure or an inadvertent policy change. Each Management Console has its own encryption key. If you have multiple Management Consoles, you need to export the encryption key from each console.
If you believe that an encryption key is compromised, update to a new key. Generating a new key results in a temporary performance decrease on endpoint devices while the Security Client reencrypts data.
If you have used multiple Management Consoles to create Data Encryption policies, you should export the key from each Management Console and import it into the other consoles so that all Management Consoles have all keys. This allows the Management Console to include all keys in each Data Encryption policy. The result is that all Security client users, regardless of their Data Encryption policy, can access encrypted policies created by other Security client users in your environment.
The following sections contain additional information: