In the IT world, productivity and efficiency are priorities — but nothing is more important than security. The costs and consequences of breaches and leaks can be enormous. That is where encryption keys enter the picture.
In this article, we take a closer look at how to export and regenerate encryption keys in Devolutions Server. First, let us quickly summarize this solution for those who are unfamiliar with it.
About Devolutions Server
Devolutions Server is our globally-popular, full-featured shared account and password management solution with add-on privileged access components. It deploys rapidly, implements easily, and delivers the core features of a comprehensive PAM solution. Devolutions Server is designed to meet the ever-expanding security requirements of SMBs, while remaining very affordable. A free 30-day trial is available.
About the Encryption Keys in Devolutions Server
The encryption keys in Devolutions Server are used to encrypt data entries (connections, private vaults, documentation, and attachments). They are generated and stored in file “encryption.config”, which is stored on the server only. To encrypt data stored in the database, we use our open-source cryptography library that can be found at https://github.com/Devolutions/devolutions-crypto.
The encryption keys must be the same for each Devolutions Server instance of your High Availability/Load Balancing Topology that uses the same SQL database, or for a migration operation.
Important note: We strongly recommend storing your Recovery Kit or the encryption keys in a secure, yet easy-to-remember location outside of Devolutions Server, such as in Password Hub Business, Azure Key Vault, or AWS Key Management Service.
Creating and Storing a Recovery Kit
First of all, when you install your Devolutions Server instance, you will be promoted to create a Recovery Kit, which you will need in the event that you no longer have access to Devolutions Server, or for a load balancing topology. The Recovery Kit is a .ZIP folder generated by the Devolutions Server console, which contains the encryption keys and a response file (which can be used to re-install Devolutions Server with the same specifications as the initial install).
Exporting the Encryption Key
Here are the steps for exporting the encryption keys. Please Note: if you need to upgrade Devolutions Server, please upgrade one instance at a time.
Step 1: Open the Devolutions Server Console.
Step 2: Go in the Tools tab and click on the Export button.
Step 3: Select a destination file name and set a password to protect the file. Then click OK.
Regenerating the Encryption Keys
There may be scenarios where you need to regenerate the encryption keys, such as if you suspect that your data base has been breached. Before we look at the steps for this process, please note: the regenerate operation will alter and re-encrypt the inner data of the SQL database of the Devolutions Server. This operation must be undertaken with the utmost care.
Step 1: Create a full database backup, and confirm that the backup is fully operational.
Backup the Database
Before performing any operation that could modify information in the SQL database, we highly recommend completing a backup of the SQL database. To avoid data loss, during the backup process all users must be in offline mode or disconnected from the Devolutions Server data source.
Step 2: Create a backup of the Devolutions Server web application folder.
Step 3: Export the existing encryption keys (see above steps 1 to 3 in the Exporting the Encryption Keys section.)
Step 4: Switch the Devolutions Server instance to offline mode using the Go Offline button.
Step 5: From the Tools menu click the Regenerate button.
Step 6: Set the destination filename and the password to protect the file that contains a backup of the regenerated encryption keys.
Step 7: A final warning will display before the regeneration process launches. Once you are ready to proceed, click OK.
Once the process is complete, the following status message will display:
Note: In the unlikely event that an error occurs during the process, then please follow the instructions in the graphic below to restore your Devolutions Server instance to its previous state:
Tell Us What You Think
We hope that you found this tutorial useful. Please let us know your thoughts by commenting below. Please also tell us what other tutorials you would like us to publish in the future.