Tips & Tricks

How to Export and Regenerate Encryption Keys in Devolutions Server

Laurence Cadieux

Hello! My name is Laurence Cadieux, and I’m a Communication Coordinnator here at Devolutions. My role includes overseeing the content strategy and development of our blog, managing the content and communication for our VIP advocate platform “Devolutions Force,” and working closely with our PR partners around the world. I also handle our off-site content opportunities (magazines, journals, newspapers, etc.). Academically, I have a bachelor’s degree in marketing. When I’m not working, I sing in a band, and I enjoy watching my favorite movies again and again. I also love cooking, and during the pandemic, I became a bread expert — I can now bake the most amazing key lime pie on earth (if I do say so myself!). Plus, I recently discovered LEGO and there is no turning back — I’m hooked! I’m always happy to help, and you can reach me directly at lcadieux@devolutions.net.

View more posts

In the IT world, productivity and efficiency are priorities — but nothing is more important than security. The costs and consequences of breaches and leaks can be enormous. That is where encryption keys enter the picture.

In this article, we take a closer look at how to export and regenerate encryption keys in Devolutions Server. First, let us quickly summarize this solution for those who are unfamiliar with it.

About Devolutions Server

Devolutions Server is our globally-popular, full-featured shared account and password management solution with add-on privileged access components. It deploys rapidly, implements easily, and delivers the core features of a comprehensive PAM solution. Devolutions Server is designed to meet the ever-expanding security requirements of SMBs, while remaining very affordable. A free 30-day trial is available.

About the Encryption Keys in Devolutions Server

The encryption keys in Devolutions Server are used to encrypt data entries (connections, private vaults, documentation, and attachments). They are generated and stored in file “encryption.config”, which is stored on the server only. To encrypt data stored in the database, we use our open-source cryptography library that can be found at https://github.com/Devolutions/devolutions-crypto.

The encryption keys must be the same for each Devolutions Server instance of your High Availability/Load Balancing Topology that uses the same SQL database, or for a migration operation.

Important note: We strongly recommend storing your Recovery Kit or the encryption keys in a secure, yet easy-to-remember location outside of Devolutions Server, such as in Password Hub Business, Azure Key Vault, or AWS Key Management Service.

Creating and Storing a Recovery Kit

First of all, when you install your Devolutions Server instance, you will be promoted to create a Recovery Kit, which you will need in the event that you no longer have access to Devolutions Server, or for a load balancing topology. The Recovery Kit is a .ZIP folder generated by the Devolutions Server console, which contains the encryption keys and a response file (which can be used to re-install Devolutions Server with the same specifications as the initial install).

image 1 recovery kit.png

image 2 recovery kit.png

Exporting the Encryption Key

Here are the steps for exporting the encryption keys. Please Note: if you need to upgrade Devolutions Server, please upgrade one instance at a time.

Step 1: Open the Devolutions Server Console.

Step 2: Go in the Tools tab and click on the Export button.

image 3 step 2 exporting encryption keys.png

Step 3: Select a destination file name and set a password to protect the file. Then click OK.

Image 4 step 3 exporting encryption keys.png

Regenerating the Encryption Keys

There may be scenarios where you need to regenerate the encryption keys, such as if you suspect that your data base has been breached. Before we look at the steps for this process, please note: the regenerate operation will alter and re-encrypt the inner data of the SQL database of the Devolutions Server. This operation must be undertaken with the utmost care.

Step 1: Create a full database backup, and confirm that the backup is fully operational.

Backup the Database

Before performing any operation that could modify information in the SQL database, we highly recommend completing a backup of the SQL database. To avoid data loss, during the backup process all users must be in offline mode or disconnected from the Devolutions Server data source.

Step 2: Create a backup of the Devolutions Server web application folder.

Step 3: Export the existing encryption keys (see above steps 1 to 3 in the Exporting the Encryption Keys section.)

Step 4: Switch the Devolutions Server instance to offline mode using the Go Offline button.

image 5 step 4 regenarating encryptions keys.png

Step 5: From the Tools menu click the Regenerate button.

image 6 step 5 regenarating encryption keys.png

Step 6: Set the destination filename and the password to protect the file that contains a backup of the regenerated encryption keys.

image 7 step 6 regenarating encryption keys.png

Step 7: A final warning will display before the regeneration process launches. Once you are ready to proceed, click OK.

image 8 step 7 regenerating encryption keys.png

Once the process is complete, the following status message will display:

image 9.png

Note: In the unlikely event that an error occurs during the process, then please follow the instructions in the graphic below to restore your Devolutions Server instance to its previous state:

image 10.png

Tell Us What You Think

We hope that you found this tutorial useful. Please let us know your thoughts by commenting below. Please also tell us what other tutorials you would like us to publish in the future.

Related Posts

Read more Tips & Tricks posts