Magento 2 Rotate Encryption Key

The encryption key in Magento is used to encrypt sensitive data such as API credentials, and most important thing, the Admin WebAPI Token is issued by this key. We need to rotate it if the key is leaked. In this blog we discuss a GUI way and command line ways. We also prepared a tool for deployment automation.

2025-04-23 Update

Starting from Magento 2.4.8, catalog cache image path hash will be independent of encryption key.

For example:

https://www.example.com/media/catalog/product/cache/1bc29b36f623ba82aaf6724fd3b16718/a/w/awesome-product-image.jpg

The hash part 1bc29b36f623ba82aaf6724fd3b16718 is computed by multiple factors, encryption key is one of those factors.
The encryption key factor will be removed since 2.4.8.

GUI Way

2025-02-13 Update

A new message appears in Magento 2.4.4-p12~, 2.4.5-p11~, 2.4.6-p9~ and 2.4.7-p4~ security patch releases.

Please Note: The encryption key change feature will only be supported via CLI commands in future releases and this page will be removed.

The GUI Way will be removed in the future.

OK, anyway, let's talk about the GUI Way. As described in the image above, login to Admin Panel and go to System > Other Settings > Manage Encryption Key. Switch Auto-generate a Key to Yes and then click the Change Encryption Key button, extremely straight forward.

If you are interested in the key format or want to input one by yourself, read this blog post, and then you should be able to generate the key manually.

Command Line Way

There is an official command but only available on newer Magento versions.

php bin/magento encryption:key:change [-k|--key KEY]

If you don't have this command, install our tool.

php bin/magento ww:encryption-key-manager:rotate [-k|--key KEY]

And this command provides equivalent functionality.

However

There is bug(vulnerability) which renders the authentication process ineffective in the following Magento versions:

2.4.4 ~ 2.4.4-p9
2.4.5 ~ 2.4.5-p8
2.4.6 ~ 2.4.6-p6
2.4.7 ~ 2.4.7-p1

The solution is upgrading Magento to the newest version or use our patch.

New Feature -- Data Re-encryption

After completing encryption key rotation, run the below command to re-encrypt database.

php bin/magento encryption:data:re-encrypt <custom_reencryptor1>...

Limitation

  • Only available in Magento 2.4.4-p12~, 2.4.5-p11~, 2.4.6-p9~ and 2.4.7-p4~
  • Third-party extensions require a development to support this feature

If you are facing the above limitations, we are capable of doing the Data Re-encryption.
You can reach out to us via Magento Technical Support Service.