You must design your application code to permit updates to the encrypted properties for a profile only if the global keyIndex value is identical to the keyIndex value that is stored with the profile. If the application code does not include this check, there is a possibility that data will be lost if a single encrypted property was updated in a profile that contained two encrypted properties. When this occurs, and the keyIndex value stored with the property is changed to the new global keyIndex value for the encrypted property that was not updated, the value is lost.
The keyIndex value that is stored in the profile is stored on a per-profile basis, not a per-property basis. Therefore, to insure that the keyIndex is not changed while the Profile Key Manager is running, you must ensure that the online application does not update encrypted properties that have a global keyIndex value that is different from the keyIndex value that is stored with the profile.
If you fail to deny updates in the application during the key migration process, data may become corrupted during updating when you have multiple encrypted properties for a profile.