The Key Management settings page lets on-premises customers rotate the master key used to encrypt sensitive data in the Workspace ONE UEM database.

The factors of this encryption are split between the database, where the master key resides, and the application servers, where a separate key encrypting key (KEK) resides. Configuring this feature is a multi-step process that requires access with administrator permissions to all Workspace ONE UEM servers and system administrator privileges at the global-level organization group in the Workspace ONE UEM console.

Setting Description
Passphrase / Confirm Passphrase Enter and confirm a strong passphrase. You must remember this passphrase for future use.
Generate Select this button to generate the KEK and the master key. Selecting this option reveals the Installation File and Download button.
Download Select to download the install.config file. After you download this file, you have 48 hours to complete the next step, as after this time the master key will be active.

Select this button if something goes wrong, such as losing or forgetting the passphrase, and the rotation must be aborted. You can do so provided the abort happens before the 48 hours. After 48 hours, the rotation cannot be aborted. Be sure to keep the passphrase safe, as recovering data that has been encrypted with the new, rotated key after 48 hours is not possible.

Recover In some cases you may see a Recover button next to Abort, indicating that the configuration file may have expired. In this case, you do not need the passphrase to abort.

Next Steps

Using the install.config file from the UEM console, install the KEK to all Workspace ONE UEM servers using the Key Installation Utility. To do this, execute the following command on each Workspace ONE UEM Server:

Utility.exe -f /path/to/install.config

If install.config is in the same directory as the utility, all command-line arguments can be omitted. After you run these commands, the installation completes.