Hi Osama:
Maximo 7.6.x by default uses a hardcoded set of encryption keys and therefore, in theory the upgrade should detect when the database has the "legacy" encryption keys and allow you to upgrade it in place without losing encrypted values and without need to specify MXE_SECURITY_OLD_CRYPTO_KEY nor MXE_SECURITY_OLD_CRYPTOX_KEY. See this for additional details https://www.ibm.com/docs/en/masv-and-l/cd?topic=encryption-database-scenarios
However, if you already ran through the process in MAS at least once, a new set of encryption keys is automatically generated for you and the database re-encrypted. IBM did not want to use default encryption keys any more with MAS. Which makes sense from a security perspective.
You can consult the encryption history to the database to confirm which should be located on the SYSCHANGETRACKER table. See https://www.ibm.com/docs/en/masv-and-l/cd?topic=encryption-viewing-database-history to confirm the above is what actually happened.
The recommendation is to grab and store the auto-generated keys and if they are not available, then there may be need to "reset" the encryption by running "resetcryptocryptox.sh" in the Maxinst Pod. Of course, that implies all encrypted values will be effectively lost (for example, EndPoints Passwords, System Properties for SMTP, etc.)
I would also suggest to always specify known values for MXE_SECURITY_CRYPTO_KEY and MXE_SECURITY_CRYPTOX_KEY and try to avoid using auto-generated random values as those can be lost easier.
Hope the above helps,
Regards,