SKM (Server Key Mode) user keys on Encryption Management Server should be renewed automatically according to policy settings.

A user's SKM key may not be renewed as expected.

The Group log shows a warning and error similar to the following during periodic regrouping against Active Directory:

encountered error while regrouping consumer "First Last" (b38f1e40-1dd6-4284-8bd3-25cd92b7c53e): key requires passphrase to unlock

can't unlock key "First Last [email protected]" (KeyID: 0x386038D7)

Symantec Encryption Management Server 10.5 and above.

The error "key requires passphrase to unlock" indicates that the key has been corrupted; an SKM mode key should not require a passphrase.

Either restore the key from backup or revoke the key and, if the user has Encryption Desktop installed, re-enroll the user. A new key will be generated.