Magento 2 Rotate Encryption Key

The encryption key in Magento is used to encrypt sensitive data such as API credentials, and most important thing, the Admin WebAPI Token is issued by this key. We need to rotate it if the key is leaked. In this blog we discuss a GUI way and command line ways. We also prepared a tool for deployment automation.

GUI Way

As described in the image above, login to Admin Panel and go to System > Other Settings > Manage Encryption Key. Switch Auto-generate a Key to Yes and then click the Change Encryption Key button, extremely straight forward.

If you are interested in the key format or want to input one by yourself, read this blog post, and then you should be able to generate the key manually.

Command Line Way

There is an official command but only available on newer Magento versions.

php bin/magento encryption:key:change [-k|--key KEY]

If you don't have this command, install our tool.

php bin/magento ww:encryption-key-manager:rotate [-k|--key KEY]

And this command provides equivalent functionality.

However

There is bug(vulnerability) which renders the authentication process ineffective in the following Magento versions:

2.4.4 ~ 2.4.4-p9
2.4.5 ~ 2.4.5-p8
2.4.6 ~ 2.4.6-p6
2.4.7 ~ 2.4.7-p1

The solution is upgrading Magento to the newest version or use our patch