Demote active Personal Keys

To demote active Personal Keys manually, you need the rights Modify Keys and Manage Personal Keys. By default, the right Manage Personal Keys has been assigned to the predefined role Master Security Officer, but it can also be assigned to new user-defined roles. In addition, you need Full access rights for the object involved.
You can demote active Personal Keys manually, for example if a user leaves the company. Provided that you have the right Manage Personal Keys you can assign the demoted Personal Key of this user to other users to give them read-only access to files encrypted with this key. But they cannot use this key for encrypting files.
Note: This cannot be undone. A demoted Personal Key can never become an active Personal Key for any user again.
  1. In the SafeGuard Management Center, select Users and Computers.
  2. In the navigation area, select the required user.
  3. In the Key tab, right-click the required Active Personal Key and select Demote Personal Key from the context menu.
The key is demoted. It is still a Personal Key, but cannot be used as an active Personal Key anymore. If a File Encryption rule defines a Personal Key to be used for encryption and the user does not have an active Personal Key, the SafeGuard Enterprise Server automatically creates it.