During the AD RMS installation an AD RMS Cluster Key is generated which is accessed while adding and verifying restricted document rights. The cluster key can be centrally managed by AD RMS and stored in the AD RMS configuration database using a strong password. It also can be protected within software or hardware based cryptographic service provider (CSP). As a best security practice Microsoft recommends using hardware based CSP to protect the AD RMS cluster key.
