...
For TLS connections, the Snaplex also maintains SSL certificates. These are also in the /etc/snaplogic directory, the jcc-serverkeys.jks file is the keystore and jcc-serverkeys.pass is the password for the keystore. These should be unique for each node, and therefore should not be synced across the Groundplex nodes. The certificates are not used for account encryption, ; they are for TLS connections only.
...
All Accounts are sent to the Groundplex to be decrypted with the old key and encrypted with the new key.
Encrypted Account fields do not display values, as shown below. However, you can change the value by entering a new one and saving it.
If an Org admin changes the encryption sensitivity level from Low, Medium, High to High, existing accounts remain at the previous level unless you update them. Changing from High to Low, Medium, High causes account data to be encrypted. All new Accounts follow the updated sensitivity encryption level.
If you revert from Enhanced to standard Standard encryption, the encrypted data is not automatically decrypted. As long as the server key is still in the node, the encrypted values continue to work.
Accounts that were exported when the Org used the old key have the sensitive fields encrypted with the old key. When an Account is imported into the Org after the key is rotated, it is imported with the old key. To convert these imported accounts to the new key, go to Manager and redo the key rotation with the new key.
...