The encryption key is used to encrypt data entries (connections, private vaults, documentation and attachments). The encryption keys are generated and stored in the encryption.config file on the server only. To encrypt the data stored in the database, we use our open-source cryptography library, which can be found at https://github.com/Devolutions/devolutions-crypto.
We recommend to do a backup of the SQL database before any operation that could modify the information of the SQL database (Import or Regenerate). During this operation, all users must be in offline mode or disconnected from the Devolutions Server data source to avoid data loss.
The encryption keys must be the same of each Devolutions Server instances of your High Availability/Load Balancing Topology that are using the same SQL database or for a migration operation.
Export the Encryption Keys
- Open the Devolutions Server Console.
- Go in the Tools tab and click on the Export button.
- Select a destination file name and path. Then set a password to protect the file and on the OK button.
We strongly recommend storing the Encryption keys file in a secure storage outside of Devolutions Server like Hub Business, Azure Key Vault or AWS Key Management Service.
Import the Encryption Keys
- Open the Devolutions Server Console on the server. Then, go in the Tools tab and click on the Import button.
- Select the encryption keys file, set the password and click on the OK button.
- Once the operation completed, the new encryption keys have been applied on the data of the database.
Regenerate the Encryption Keys
The Regenerate operation will alter and re-encrypt the inner data of the SQL database of the Devolutions Server This operation must be treated with the utmost care.
There may be scenarios where you need to regenerate the encryption keys, such as if you suspect that your data base has been breached. The following instructions explain how to complete this operation.
- Make a full database backup and ensure this backup is fully operational.
- Make a backup of the Devolutions Server web application folder.
- Export the existing Encryption Keys. See above steps 1 to 3.
- Switch the Devolutions Server instance to offline mode using the Go Offline button.
Devolutions Server Console - Go Offline.png - Go in the Tools menu and click on the Regenerate button.
Devolutions Server Console - Tools - Regenerate.png - Select a destination file name and path. Then set a password to protect the file and on the OK button.
We strongly recommend storing the Encryption keys file in a secure storage outside of Devolutions Server like Hub Business, Azure Key Vault or AWS Key Management Service.
- A last warning will be displayed before launching the Regenerate process. Click on OK to start it.
Start Regenerate process.png - Once completed, the following process status should be displayed.
Regenerate Encryption Keys process status report.png - If any error occurs during the Regenerate process, please follow these instructions to recover the Devolutions Server instance to its previous state.
Recovering instructions.png