Key-encrypting keys protect a key that is sent to another system, received from another system, or stored with data in a file. A variation of transport keys is also used to rewrap a key from one key-encrypting key to another key-encrypting key.
Key-encrypting keys are always generated in pairs. Both keys have the same clear key-value but have a different encrypted key-value due to the control vector or the associated data.
Example of usage – “An exporter key-encrypting key protects keys that are sent from your system to another system. The exporter key at the originator has the same clear value as the importer key at the receiver.”