Contains the Server key, public Recovery key, and the private Recovery key . Because this folder holds the key to decrypting the entire Vault, CyberArk strongly recommends it be stored in a physical safe, disconnected from any digital network. How to Use PAKeyGen.exe
For non-production or lab environments where hardware protection is not available, the /d flag can be used to generate keys locally without an HSM. pakeygen.exe