To passphrase or not to passphrase? That one’s easy … don’t passphrase! It’s a great way to get your master keys loaded and your cryptographic infrastructure operational, but it’s not such a secure way to run your business.
Typically, once your crypto environment is established and you’re running production work, you will change your master keys periodically, as specified in your local security policy. That process will be handled by a key management team or simply within the security group. The initial loading of the master keys might be handled by the systems programmers or the key management team.