Mysteries of Magento Encryption Key

Featured Image

If you ever went through Magento installation process, you know that at some point you are asked for Magento Encryption key. Magento will automatically generate one for you if you do not enter anything in this field. For first installation, this is just fine. You will see a note that Magento uses this key to encrypt passwords, credit cards and more. Is this really the case?

Once Magento installation is complete, you will find the code at /app/etc/local.xml folder.

<key>< ![CDATA[-encryption-key-]]></key>

You would have thought that it is important for some process when Magento saves customers or admin user password in the database and encrypts it. However, this is not the case. When you upgrade the site to a new Magento installation, you will be able to log in with the usernames and passwords that you used, even if the encryption key is different.

But, if you forgot to remember and resave encryption key from the old installation, you will encounter a problem where some payment or shipping gateways will not work. Access data will not work although you have them in the database. This is where Encryption Key is in the story. PayPal, and similar transaction keys and passwords are additionally secured with this key via hash & salt method. With this in mind, if you forgot old transaction key, there is no other way to solve this issue than re-saving those access data from Magento administration interfaces.

So, golden rule is: When upgrading the site to new installation, be sure to use the same Encryption Key.


About Tomislav Bilic

Founder and CEO

Tomislav is a founder and CEO at Inchoo. Enjoys traveling - especially quick getaways, traditional cuisine (from most cultures), good wine and strong rakija.

Read more posts by Tomislav / Visit Tomislav's profile


  1. how bad luck i was! i moved my magento to new hosting and changed the encryption key by mistake. i didn’t keep the original key. is there anywhere to look for the old key and get it back?

    with the new Encryption Key,the website works no problem.i haven’t found any issues yet.also i have created a new customer account and it allows login, and i tried to place an order with paypal checkout,,it will redirect to paypal’s website but i don’t know if it will be successful as i don’t have other paypal account to make payment for testing.

  2. There is a fundamental difference between encryption and hashing.

    Hashing is a one-way function Once you’ve hashed a value, you cannot get that value back. If APi credentials were hashed, then Magento would not be able to restore their original values to submit to the API. See

    Symmetric Encryption is a two way function where the original value can be retrieved if one has the encryption key. See

  3. So if I have the old key and a new key is there a method or script that with allow me to change the key and not loose or corrupt the data hashed or encrypted with the old key?
    It is good security to change keys every so often. How can this be done with the Magento key?

  4. Hi,
    I migrated a magento installation. I have a strange situation now. any new users I create, cannot login to the backed (username/password is incorrect error). When I open the DB and look in API_user, the new user is there, with an encrypted password.
    What I did in the migration was, that I changed the DBNAME, KEY and DBPASSWORD to the old ones on the local.xml and simply imported the old database.
    I can login using the older created accounts, but not any new ones. I suspect this problem is due to magento still using the installation key to encrypt passwords but old key to access database and decrypt.
    Please help on how to solve this.

  5. I know this is probably a dumb question, but by resave, do you just mean go into the necessary admin areas and just “Save Config” again? Or do you have to enter the password and then press “Save Config” ?

  6. Hi Sean,

    You can change it to whatever string you want. But in this case, you will need to resave the data for PayPal variables (in Magento Admin), or even shipping if you use some advanced methods.

    Hope that helps.

  7. So, if someone hacks your ftp access and gets the encryption key, how do you go about changing it?

  8. @Tomislav – Thanks for the article.

    We’ve run into issues in the past where a developer was using a different copy of local.xml (and consequently a different encryption key) on their development machine, which obviously caused issues when trying to access the api keys for shipping or payment methods. We use SVN to manage our Magento projects, but because the local.xml file changes based on the environment, we add the local.xml to a different part of the repo, outside of the htdocs folder. Because of this, there have been times that local.xml files were different per environment, because a developer didn’t update their local.xml files. We’ve since resolved this issue, but it’s something to keep in mind when running a project in different environments (stage, dev, production, etc…)

  9. I never thought of encryption key, have upgraded several times without keeping aside, so far have not face nay problem. but will be careful from now 🙂

  10. I have a query.
    I recently by mistake deleted the entire magento directory from my server. I had database of the project, which was not deleted. So I reinstalled the new magento with new database, removed the database and backed it up with my previous database, i.e. the one that was not deleted :). Then I uploaded all the images for catalogs from admin. Till now everything is working alright except the editor showing strange behavior, it is stripping all the HTML tags that I inserted for any content or CMS pages. No HTML tags are inserting into the database but the plain text. Is it due to the encryption key?? What are the other things that will create problem after this? Please suggest.

  11. I got the impression this text was actually referring to the Enterprise Edition of Magento, which apparently can encrypt account passwords. At least, their ‘encryption’ video has a picture of the login screen which saying users passwords can be encrypted with PA-DSS…

    It might all be bollocks in the video though – I haven’t had the opportunity to read through the Enterprise codebase yet…

  12. This is helpful. I don’t know what’s the encryption key does in the first time. However, I kept it in the safe place. Now I know what it does 🙂

  13. @EcommerceDeveloper:

    Key sentence is:
    “…saves customers or admin user password in the database and encrypts it. However, this is not the case.”

  14. Actually Magento doesn’t crypts the passwords, it’s just creates a hash with the salt.
    But as for transactions data and some encryptable configuration fields you’re right.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <blockquote cite=""> <code> <del datetime=""> <em> <s> <strike> <strong>. You may use following syntax for source code: <pre><code>$current = "Inchoo";</code></pre>.