Any change of the key that the Server uses for encryption leads to a need for migration of existing encrypted files. To migrate an encrypted file, we should decrypt it with the old encryption key and encrypt it with the new one. Encryption and decryption can be done using the cryptoutils tool.
Files which are often encrypted or contain encrypted parts are: configurations, the User Registry and properties files (TDI properties files can contain encrypted properties, although the files are usually not encrypted as a whole).
By default all sensitive properties (such as passwords) inside global.properties or solution.properties are encrypted. As a rule of thumb we should always migrate global.properties and solution.properties files when you change the Server encryption key.
The Server reads the password for the keystore that holds the encryption key and the password for the encryption key itself from the Server stash file. Thus if any of those passwords is changed, the stash file must be updated. This can be done using the createstash tool.
If the Server uses public-key encryption, the certificate associated with the encryption key-pair can potentially expire at some point in time. If this happens, the certificate can be renewed using the procedure described in section "Extend the validity of a certificate using keytool". That procedure preserves the underlying keys, so no migration of existing encrypted files is necessary.