The encrypted configuration zip archive has the wrapped symmetric key inside. The asymmetric key for unwrapping and decrypting must be defined in engineSignEncryptConfig.xml. The settings in engineSignEncryptConfig.xml and the key container file (for example, the .p12 file) defined in the descriptor of the XML file must be shared across instances.
Automatic sensing of necessary decryption is enabled regardless of the zipPacker.encryptZip property in system.properties when you import a configuration zip archive, for example, a configuration/translation/process/... zip archive. You can always import unencrypted configuration archives. You can import encrypted configuration archives if the settings in engineSignEncryptConfig.xml are available and correct and the property zipEncrypterDecrypter.version in system.properties matches the Nexus-Encryption-Descriptor-Version in descriptors.info of the archive.
You must also verify the settings against descriptors.info of the archive you want to import.
You cannot perform manual decryption outside of Smart ID Identity MangerManager.
To support successful decryption of any already exported encrypted archives, do not change the settings for the existing version number.
When you import an older versioned encrypted configuration file into the system, make sure to update the XML file accordingly.