the server also exports the encryption key with an export node command...
The TSM server does not encrypt or decrypt data, that's all handled by the client. When the client encrypts a file, the file is encrypted before it is sent (think of a password protected zip). So when restoring an encrypted file, in order to decrypt the file, the client needs the key, which if it's stored in the registry will use or will prompt if it is not.
When you use save the encryption key, it is saved in the registry during the backup. If you do a BMR, you would restore systemstate, which inlcudes the registry, which includes the saved encryption key.
You can delete the encryption key saved in the registry so that you are prompted instead. DO THIS AT YOUR OWN RISK, I CAN'T HELP YOU IF YOU DELETE THE WRONG THING.
Go to this key in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\IBM\ADSM\CurrentVersion\Nodes\{Nodename}\{TSMServer_name}
Delete the value "Encrypt"
the server also exports the encryption key with an export node command...
No it does not, but any data that is encrypted will remain encrypted during an export. And if a client tries to restore that data and has the encryption key already, it will be able to decrypt it.
And are you 100% sure the data is encrypted? Go in the GUI, click on Restore, find one of the files, right-click on it and select File Details. The encryption type will NOT be blank if encrypted: