Local Storage seems to be disabled in your browser.
For the best experience on our site, be sure to turn on Local Storage in your browser.
Magento 2 Rotate Encryption Key

The encryption key in Magento is used to encrypt sensitive data such as API credentials, and most important thing, the Admin WebAPI Token is issued by this key. We need to rotate it if the key is leaked. In this blog we discuss a GUI way and command line ways. We also prepared a tool for deployment automation.
2025-04-23 Update
Starting from Magento 2.4.8, catalog cache image path hash will be independent of encryption key.
For example:
https://www.example.com/media/catalog/product/cache/1bc29b36f623ba82aaf6724fd3b16718/a/w/awesome-product-image.jpg
The hash part 1bc29b36f623ba82aaf6724fd3b16718
is computed by multiple factors, encryption key is one of those factors.
The encryption key factor will be removed since 2.4.8.
GUI Way
2025-02-13 Update
A new message appears in Magento 2.4.4-p12~, 2.4.5-p11~, 2.4.6-p9~ and 2.4.7-p4~ security patch releases.
Please Note: The encryption key change feature will only be supported via CLI commands in future releases and this page will be removed.
The GUI Way will be removed in the future.
OK, anyway, let's talk about the GUI Way. As described in the image above, login to Admin Panel and go to System > Other Settings > Manage Encryption Key
. Switch Auto-generate a Key
to Yes
and then click the Change Encryption Key
button, extremely straight forward.
If you are interested in the key format or want to input one by yourself, read this blog post, and then you should be able to generate the key manually.
Command Line Way
There is an official command but only available on newer Magento versions.
php bin/magento encryption:key:change [-k|--key KEY]
If you don't have this command, install our tool.
php bin/magento ww:encryption-key-manager:rotate [-k|--key KEY]
And this command provides equivalent functionality.
However
There is bug(vulnerability) which renders the authentication process ineffective in the following Magento versions:
2.4.4 ~ 2.4.4-p9
2.4.5 ~ 2.4.5-p8
2.4.6 ~ 2.4.6-p6
2.4.7 ~ 2.4.7-p1
The solution is upgrading Magento to the newest version or use our patch.
New Feature -- Data Re-encryption
After completing encryption key rotation, run the below command to re-encrypt database.
php bin/magento encryption:data:re-encrypt <custom_reencryptor1>...
Limitation
- Only available in Magento 2.4.4-p12~, 2.4.5-p11~, 2.4.6-p9~ and 2.4.7-p4~
- Third-party extensions require a development to support this feature
If you are facing the above limitations, we are capable of doing the Data Re-encryption.
You can reach out to us via Magento Technical Support Service.