SKM (Server Key Mode) user keys on Encryption Management Server should be renewed automatically according to policy settings.
A user's SKM key may not be renewed as expected.
The Group log shows a warning and error similar to the following during periodic regrouping against Active Directory:
encountered error while regrouping consumer "First Last" (b38f1e40-1dd6-4284-8bd3-25cd92b7c53e): key requires passphrase to unlock
can't unlock key "First Last [email protected]" (KeyID: 0x386038D7)
Symantec Encryption Management Server 10.5 and above.
The error "key requires passphrase to unlock" indicates that the key has been corrupted; an SKM mode key should not require a passphrase.
Either restore the key from backup or revoke the key and, if the user has Encryption Desktop installed, re-enroll the user. A new key will be generated.