Backup Exec stores the keys in the Backup Exec database. However, Backup Exec does not store the pass phrases for the keys. The owner of each key is responsible for remembering the pass phrase for the key.
To protect your keys, Symantec recommends the following:
If you do not have a backup of the Backup Exec database and do not remember your pass phrases, you cannot restore data from the encrypted media. In addition, Symantec cannot restore encrypted data in this situation.
A key that is created on a media server is specific to that media server. You cannot move keys between media servers. However, you can create new keys on a different media server by using existing pass phrases. A pass phrase always generates the same key. In addition, if you delete a key accidentally, you can recreate it by using the pass phrase.
If you move a database from one media server to another media server, the encryption keys remain intact as long as the new media server meets the following criteria: