The Key Management settings page lets on-premises customers rotate the master key used to encrypt sensitive data in the AirWatch database. The factors of this encryption are split bwetween the database, where the master key resides, and the application servers, where a separate key encrypting key (KEK) resides. Configuring this feature is a multi-step process that requires access with administrator permissions to all AirWatch servers and system administrator privileges at the global-level organization group in the AirWatch Console.

Setting Description
Passphrase / Confirm Passphrase Enter and confirm a strong passphrase. You must remember this passphrase for future use.
Generate Select this button to generate the KEK and the master key. Selecting this option reveals the Installation File and Download button.
Download Select to download the install.config file. After you download this file, you have 48 hours to complete the next step, as after this time the master key will be active.
Abort

Select this button if something goes wrong, such as losing or forgetting the passphrase, and the rotation must be aborted. You can do so provided the abort happens before the 48 hours. After 48 hours, the rotation cannot be aborted. Be sure to keep the passphrase safe, as recovering data that has been encrypted with the new, rotated key after 48 hours is not possible.

Recover In some cases you may see a Recover button next to Abort, indicating that the configuration file may have expired. In this case, you do not need the passphrase to abort.

Next Steps

Using the install.config file from the AirWatch Console, install the KEK to all AirWatch servers using the Key Installation Utility. To do this, execute the following command on each AirWatch Server:

Utility.exe -f /path/to/install.config

If install.config is in the same directory as the utility, all command-line arguments can be omitted. After you run these commands, the installation completes.