A Management Zone can have one or more encryption keys. At any one time, however, there is only one active key. The active key is used to encrypt new files. The non-active keys are retained in order to decrypt files that were encrypted when the non-active keys were the active keys.
For example, assume that Key1 is the active key. All Endpoint Security Agents use Key1 to encrypt files. You then generate a new key, Key2, which automatically becomes the active key. After Key2 is distributed to devices (during an agent refresh), the Endpoint Security Agent uses it to encrypt new files. The agent uses Key1 to open any files encrypted with that key, then updates the files to the active key (Key2).