> For the complete documentation index, see [llms.txt](https://docs.devolutions.net/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.devolutions.net/server/knowledge-base/how-to-articles/manage-encryption-keys.md). # Manage encryption keys Encryption keys are used to encrypt data entries (connections, user vault, documentation, and attachments). They are generated and stored in the `encryption.config` file on the server only. To encrypt the data stored in the database, we use our [open-source cryptography library](https://github.com/Devolutions/devolutions-crypto). {% hint style="success" %} We recommend doing a backup of the SQL database before any operation that could modify the information it contains (***Import*** or ***Regenerate***). During this operation, all users must be in offline mode or disconnected from the Devolutions Server workspace to avoid data loss. {% endhint %} The `encryption.config` file cannot be moved directly to another system. It is encrypted using the data protection API (DPAPI), which binds the file to the system where it was originally encrypted. As a result, the file cannot be read or used on a different machine. To use the encryption configuration on another system, you must export the encryption keys from the original system and then import them on the target system. The same encryption keys must be used by all Devolutions Server instances in a high availability or load balancing topology that share the same SQL database. The same requirement also applies when performing a migration. ### Export the encryption keys 1. Open the Devolutions Server Console. 2. In the ***Tools*** tab, click on ***Export***. ![](https://cdnweb.devolutions.net/docs/DVLSCONSOLE2015_2026_1.png) 3. Enter a destination ***Filename*** and path, then set a password to protect the file. {% hint style="warning" %} We strongly recommend storing the encryption keys file in a secure storage outside of Devolutions Server such as Devolutions Cloud, Azure Key Vault, or AWS Key Management Service. {% endhint %} ![](https://cdnweb.devolutions.net/docs/DVLSCONSOLE2016_2026_1.png) 4. Click ***Ok***. Your encryption keys have been exported to the specified destination. ### Import the encryption keys 1. Open the Devolutions Server Console on the server. 2. In the ***Tools*** tab, click on ***Import***. ![](https://cdnweb.devolutions.net/docs/DVLSCONSOLE2017_2026_1.png) 3. Select the encryption keys file, then enter the password. ![](https://cdnweb.devolutions.net/docs/DVLSCONSOLE2018_2026_1.png) 4. Click ***Ok***. Once the operation is complete, the new encryption keys are applied to the data in the database. ### Regenerate the encryption keys {% hint style="warning" %} Regenerating encryption keys modifies and re-encrypts the data stored in the Devolutions Server SQL database. This operation must be performed with the utmost care. {% endhint %} There may be situations where you need to regenerate the encryption keys, for example if you suspect that your database has been compromised. The following steps explain how to perform this operation. 1. Create a full backup of the database and ensure that the backup is valid and usable. 2. Back up the Devolutions Server web application folder. 3. Export the existing encryption keys. See the export procedure in this page. 4. In the ***Server*** tab, switch the Devolutions Server instance to offline mode by clicking ***Go offline***. ![](https://cdnweb.devolutions.net/docs/DVLSCONSOLE2019_2026_1.png) 5. Go to the ***Tools*** tab and click on ***Regenerate***. ![](https://cdnweb.devolutions.net/docs/DVLSCONSOLE2020_2026_1.png) 6. Enter a destination ***Filename*** and path, then set a password to protect the file. {% hint style="success" %} We strongly recommend storing the encryption keys file in a secure storage outside of Devolutions Server such as Devolutions Cloud, Azure Key Vault, or AWS Key Management Service. {% endhint %} ![](https://cdnweb.devolutions.net/docs/DVLSCONSOLE2021_2026_1.png) 7. Click ***Ok***. 8. A final warning appears before the regeneration process begins. Click ***OK*** again to proceed. ![](https://cdnweb.devolutions.net/docs/DVLSCONSOLE2022_2026_1.png) The regeneration process will start. Once completed, the status will indicate that the operation has finished. #### If the regeneration process fails If errors occur during the regeneration process, follow these instructions to restore the Devolutions Server instance to its previous state: 1. Restore your database to the backup taken just prior to the key regeneration. 2. Navigate to the `App_Data` folder at the root of your Devolutions Server instance. 3. Rename the `encryption.config` file to `encryption.config.bak` (Devolutions Server will now ignore this file). 4. Rename the most recent `encryption..config` file to `encryption.config`. 5. Restart the application pool if needed. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.devolutions.net/server/knowledge-base/how-to-articles/manage-encryption-keys.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.