Mysteries of Magento Encryption Key

If you ever went through Magento installation process, you know that at some point you are asked for Magento Encryption key. Magento will automatically generate one for you if you do not enter anything in this field. For first installation, this is just fine. You will see a note that Magento uses this key to encrypt passwords, credit cards and more. Is this really the case?

Once Magento installation is complete, you will find the code at /app/etc/local.xml folder.

< ![CDATA[-encryption-key-]]>

You would have thought that it is important for some process when Magento saves customers or admin user password in the database and encrypts it. However, this is not the case. When you upgrade the site to a new Magento installation, you will be able to log in with the usernames and passwords that you used, even if the encryption key is different.

But, if you forgot to remember and resave encryption key from the old installation, you will encounter a problem where some payment or shipping gateways will not work. Access data will not work although you have them in the database. This is where Encryption Key is in the story. PayPal, Authorize.net and similar transaction keys and passwords are additionally secured with this key via hash & salt method. With this in mind, if you forgot old transaction key, there is no other way to solve this issue than re-saving those access data from Magento administration interfaces.

So, golden rule is: When upgrading the site to new installation, be sure to use the same Encryption Key.

Cheers!