Local Storage seems to be disabled in your browser.
For the best experience on our site, be sure to turn on Local Storage in your browser.
Magento 2 Rotate Encryption Key
December 07, 2024
- 2 min read
162
The encryption key in Magento is used to encrypt sensitive data such as API credentials, and most important thing, the Admin WebAPI Token is issued by this key. We need to rotate it if the key is leaked. In this blog we discuss a GUI way and command line ways. We also prepared a tool for deployment automation.
2025-04-23 Update
Starting from Magento 2.4.8, catalog cache image path hash will be independent of encryption key.
For example:
https://www.example.com/media/catalog/product/cache/1bc29b36f623ba82aaf6724fd3b16718/a/w/awesome-product-image.jpgThe hash part 1bc29b36f623ba82aaf6724fd3b16718 is computed by multiple factors, encryption key is one of those factors.
The encryption key factor will be removed since 2.4.8.
GUI Way
2025-02-13 Update
A new message appears in Magento 2.4.4-p12~, 2.4.5-p11~, 2.4.6-p9~ and 2.4.7-p4~ security patch releases.
Please Note: The encryption key change feature will only be supported via CLI commands in future releases and this page will be removed.
The GUI Way will be removed in the future.
OK, anyway, let's talk about the GUI Way. As described in the image above, login to Admin Panel and go to System > Other Settings > Manage Encryption Key. Switch Auto-generate a Key to Yes and then click the Change Encryption Key button, extremely straight forward.
If you are interested in the key format or want to input one by yourself, read this blog post, and then you should be able to generate the key manually.
Command Line Way
There is an official command but only available on newer Magento versions.
php bin/magento encryption:key:change [-k|--key KEY]If you don't have this command, install our tool.
php bin/magento ww:encryption-key-manager:rotate [-k|--key KEY]And this command provides equivalent functionality.
However
There is bug(vulnerability) which renders the authentication process ineffective in the following Magento versions:
2.4.4 ~ 2.4.4-p9
2.4.5 ~ 2.4.5-p8
2.4.6 ~ 2.4.6-p6
2.4.7 ~ 2.4.7-p1
The solution is upgrading Magento to the newest version or use our patch.
New Feature -- Data Re-encryption
After completing encryption key rotation, run the below command to re-encrypt database.
php bin/magento encryption:data:re-encrypt <custom_reencryptor1>...Limitation
- Only available in Magento 2.4.4-p12~, 2.4.5-p11~, 2.4.6-p9~ and 2.4.7-p4~
- Third-party extensions require a development to support this feature
If you are facing the above limitations, we are capable of doing the Data Re-encryption.
You can reach out to us via Magento Technical Support Service.
Share on Facebook
Share on X
Share on Pinterest
Share on LinkedIn
Recent Posts
