The Key Encryption Key (KEK) used by OnBase is stored in two pieces. One piece is encrypted and stored in the OnBase database. The other piece is encrypted and stored in the OnBase Client and Configuration executables.
For OnBase Core Services modules, which include the Web Client and modules dependent on the OnBase Application Server, the second piece is also encrypted and stored in Hyland.Core.GrabIcon.dll, which is included with the OnBase Core files.
If OnBase Core Services modules are part of your OnBase solution, you cannot rotate the KEK without contacting your solution provider to obtain the GrabIcon.NET.exe file used in this process.
You can rotate, or change, the second piece of the KEK as a security measure against outside forces (e.g., separated employees, social engineering). The concept is similar to changing a password. When you rotate the KEK, OnBase changes the piece that is stored in the OnBase software, generates new Client and Configuration executables, and creates a new copy of Hyland.Core.GrabIcon.dll. These files contain the new KEK piece.