Rapid Recovery 6
Encryption key status unlocked on Source core
On the local source core, the encryption key shows as unlocked. Attempting to set encryption to locked fails if any agents are using the key in Universal mode.
An encryption key is always unlocked on the Source Core, where it was generated.
This is so the Core can perform automatic Recovery Point checks without asking for key unlock.
Encryption key is automatically replicated to the target Core, if agent Recovery Point has been encrypted with it. However, key is kept in the locked state on replication target Cores. This means that automated Recovery Point checks will always fail for encrypted agents on target Cores.
The feature is by design per the Quest article below.
For more information on encryption keys and best practices, please see the below KB from Quest.