Before rotating the Key Encryption Key (KEK), it is considered a best practice to backup your database.
Rotating the KEK entails modifying certain files in your OnBase solution. These files must then be pushed out, or deployed, to user workstations. After rotating the KEK, users cannot connect to OnBase with previous versions of the OnBase Client and Configuration executables, or by using Core Services with previous versions of Hyland.Core.GrabIcon.dll. They can only connect to OnBase using versions of the OnBase Client and Configuration executables containing the new KEK, or by using Core Services with the new Hyland.Core.GrabIcon.dll.
To rotate the KEK in the OnBase Configuration module:
You only need to perform these steps on the workstation that will be used to deploy the KEK. After the KEK is rotated, the new files can be copied to other user workstations, as long as those workstations are using the same version of OnBase.
The OnBase Configuration module is closed automatically when you click OK after the rotation is completed. This is done to prevent the old executables being used to rotate the KEK again, which may corrupt encrypted documents. You must use the new executable to re-open the Configuration module. See, Deploying the Rotated Key Encryption Key.