Encryption key creation
When encryption key is created, it generates a key's unique ID. The Encryption Key is encrypted using a passphrase and stored in Core's registry. The passphrase is also encrypted using the local system security key and stored in the Core's registry.
Encryption key distribution
An encryption key is always unlocked on the Source Core, where it was generated. Thus Core can perform automatic Recovery Point checks without asking for key unlock. Encryption key is automatically replicated to the target Core, if agent Recovery Point has been encrypted with it. However, key is kept in the locked state on replication target Cores. This means that automated Recovery Point checks will always fail for encrypted agents on target Cores. Encryption key can be exported to the file, if manual transfer is needed.
Encryption key usage scenarios
When encryption key is applied to the existing protected agent, it'll trigger a new base image creation. Please note that changing a passphrase to the existing encryption key will not generate a new base image. Rather, the encryption key will be retrieved from the Core registry, re-encrypted using a new passphrase and written back. This operation does not change unique key's ID. Key's ID is permanently tied to the Recovery Point when it was created.
Also note: it's not possible to generate exactly same encryption key twice, even when passphrase is known.
Encryption key, applied to the agent or group of agents will effectively reduce repository deduplication ratio because deduplication is only applicable per "encryption domain". Encryption domain is an entity of agents, having the same encryption key or no encryption applied. There's no deduplication possible between agents that belong to different encryption domains.
It's highly recommended to backup encryption key to the file before its deletion, especially if encrypted Recovery Points were archived. Archive operation is keeping Recovery Points in the encrypted state.