To migrate encrypted content to a new key service, the current key service should be configured as the backup for the new service. ESKM can be added as a backup key manager for other key managers, and other key managers can also be added as backup key managers for ESKM.
To add ESKM as a backup key manager, create a key with the following username, in ESKM Google-WS-CSE-Instance:
apps-security-cse-kaclscommunication@system.gserviceaccount.com
This key will be used to encrypt data for all users. To add another key service as a backup to ESKM, include the Issuer value expected in privileged requests from the other key manager in the IDP Issuer section of the Advanced REST Settings.