Manage encryption keys

Encryption keys are used to encrypt data entries (connections, user vault, documentation, and attachments). They are generated and stored in the encryption.config file on the server only. To encrypt the data stored in the database, we use our open-source cryptography library.

We recommend to do a backup of the SQL database before any operation that could modify the information it contains (Import or Regenerate). During this operation, all users must be in offline mode or disconnected from the Devolutions Server data source to avoid data loss.

The encryption.config file cannot be moved to another system, as it is encrypted with the data protection application programming interface (DPAPI), which prevents the file from being read outside of the system where it has been encrypted. You must export the file then import it to the other system.

Encryption keys must be the same as each Devolutions Server instance of your High Availability/Load Balancing Topology that are using the same SQL database or for a migration operation.

Export the encryption keys

  1. Open the Devolutions Server Console.

  2. In the Tools tab, click on Export.

    Tools – Export
    Tools – Export

  3. Enter a destination Filename and path, then set a password to protect the file.

    We strongly recommend storing the encryption keys file in a secure storage outside of Devolutions Server such as Devolutions Hub Business, Azure Key Vault, or AWS Key Management Service.

    File name and password
    File name and password

  4. Click OK.

Your encryption keys have been exported to the specified destination.

Import the encryption keys

  1. Open the Devolutions Server Console on the server.
  2. In the Tools tab, click on Import.
    Tools – Import
    Tools – Import
  3. Select the encryption keys file, then enter the password.
    File name and password
    File name and password
  4. Click OK.

Once the operation is completed, the new encryption keys have been applied on the data of the database.

Regenerate the encryption keys

The Regenerate operation will alter and re-encrypt the inner data of the Devolutions Server SQL database. This operation must be treated with the utmost care.

There may be scenarios where you need to regenerate the encryption keys, such as if you suspect that your database has been breached. The following instructions explain how to complete this operation.

  1. Make a full database backup and ensure this backup is fully operational.

  2. Make a backup of the Devolutions Server web application folder.

  3. Export the existing encryption keys. See export steps above.

  4. In the Server tab, switch the Devolutions Server instance to offline mode using the Go Offline button.

    Server – Go Offline
    Server – Go Offline

  5. In the Tools tab, click on Regenerate.

    Tools – Regenerate
    Tools – Regenerate

  6. Enter a destination Filename and path, then set a password to protect the file.

    We strongly recommend storing the encryption keys file in a secure storage outside of Devolutions Server such as Devolutions Hub Business, Azure Key Vault, or AWS Key Management Service.

    Backup file name and password
    Backup file name and password

  7. Click OK.

  8. A last warning appears before launching the regeneration process. Click OK again to proceed.

    Confirm encryption keys regeneration
    Confirm encryption keys regeneration

    The process begins. When done, the status will update to say that the operation is completed.

  9. If errors occur during the regeneration process, please follow these instructions to recover the previous state of the Devolutions Server instance.

    Recovering instructions
    Recovering instructions