The out-of-the-box Content Services installation has a pre-configured main keystore, which contains a secret key generated by Content Services. If you want to use encrypted properties, you should create your own keystore with your own password, and update the metadata file appropriately.
The default keystore configuration protects the keys by using two levels of passwords - a keystore password and a password for each key. Currently, the keystore contains only a metadata secret key that is used for encrypting and decrypting node properties that are of type d:encrypted.
You can also configure a backup keystore. This is useful in case the keys need to be changed. The user can back up the main keystore to the backup keystore location and create a new keystore in its place.
If both the main and backup keystores are configured, the repository encryption works in the fallback mode. In this mode, the node properties are decrypted with the main keystore’s metadata key first. If that fails, the backup keystore’s metadata key is tried. This allows the keystores to be changed on the disk and reloaded without affecting the running of the repository.
Keystores are also used to protect the communication between the Repository and Solr using encryption and mutual authentication. The keystores store RSA keys and certificates in this case. For more information on how to turn on HTTPS between the Repository and Solr, and how to re-generate the default certificate, see Solr security section of the Search Services documentation.