In these scenarios, all existing recovery points are been encrypted, already using an encryption key (passphrase). Hence any sort of restorations (Mounting a recovery point, VM export and BMR/Volume rollbacks) needs an one-time unlocking of the encryption made earlier.
During an recovery, AppAssure will prompt you to unlock the encryption (or can be done manually using Core -> Configuration -> Security option) by selecting the settings (gear icon on the right) and click "Unlock" and a pop-up windows will prompt you to key in the passphrase and its validity duration.
This will help you to unlock the encryption and will allow you to proceed with the restoration without any issue. However this is one-time task and no need to key in the passphrase every now and then, also not possible make this feature of keying in the passphrase for the every restorations (at the moment).
Note: An encryption key, which is in "Locked" state, cannot be applied to any agent for the encryption or recovery points encrypted using the same are not possible to be restored, without "Unlocking" the same.