Encryption keys determine the output of the cryptographic algorithm. They are protected by a passphrase, which encrypts the encryption key before it is stored in multiple locations on disk. The user generates the passphrase which requires both an administrator and a security officer to change it.
A key manager controls the generation, distribution, and life-cycle management of multiple encryption keys. A protection system can use either the embedded key manager or KMIP-complaint key manager such as SafeNet KeySecure or NextGen or Vormetric Data Security Manager. Only one key manager can be in effect at a time. When encryption is enabled on a protection system, the Embedded Key Manager is in effect by default. If the SafeNet KeySecure Key Manager is configured, it replaces the embedded key manager and remains in effect until it is disabled manually.