where do I get the decrytion key strapi
You don’t “get” the Strapi decryption key from Strapi itself — you define and manage it yourself via configuration or environment variables.
Below is a friendly walkthrough tailored to the kind of “where do I find this key?” confusion that often pops up in forum discussions about Strapi.
Quick Scoop: What “decryption key” means in Strapi
When people ask “where do I get the decryption key in Strapi?” , they’re usually referring to one of these:
- The admin encryption key used to encrypt/decrypt API tokens in the admin panel.
- The export data encryption key used with
strapi exportwhen you encrypt your backup files.
- A plugin-specific encryption key , e.g. a plugin like “encryptable-field” that stores sensitive fields encrypted.
In all those cases, you don’t download the key from Strapi — you create it
(or let Strapi auto‑create it) and store it in your config or .env file.
1. Admin panel / API token decryption key
What this key is
Strapi can encrypt API token values and make them viewable later in the admin panel if an encryption key is configured.
That key lives in your admin config under secrets.encryptionKey.
Where to set or find it
In a Strapi 4/5 project, look at config/admin.js (or config/admin.ts):
js
// config/admin.js
module.exports = ({ env }) => ({
// other config parameters
secrets: {
encryptionKey: env('ENCRYPTION_KEY'),
},
});
Key points:
- The actual decryption/encryption key value comes from the
ENCRYPTION_KEYenvironment variable.
- In new Strapi projects , Strapi can auto‑generate this key for you, so you might already have it in your
.env.
- If you don’t set
admin.secrets.encryptionKey, tokens are still usable, but they are only shown once and not viewable later.
So if you’re asking “where do I get the decryption key?”, in this context the answer is:
Check your
.envforENCRYPTION_KEY, or define one yourself and reference it inconfig/admin.js.
2. Encryption key for strapi export (.enc backup files)
Strapi’s strapi export command can encrypt your exported data using
aes-128-ecb and save it as .enc files.
How the key works
- When you run
strapi export, it can prompt you for an encryption key or you can pass it with-k/--key.
- That key is just a string you choose; there’s no minimum length, but a strong key is recommended.
- The same key is required later to decrypt the
.encfile, so you must remember or store it safely.
Essentially:
- You provide the key when exporting.
- There is no hidden Strapi “master key” you can fetch later.
- If you lose that key, you cannot decrypt that encrypted export.
Example usage:
bash
strapi export --key "my-strong-secret-key"
If you do not want encryption at all:
bash
strapi export --no-encrypt
3. Plugin-level encryption keys (e.g. encryptable fields)
Some Strapi plugins introduce their own encryption logic, and they require
their own key, commonly via ENCRYPTION_KEY or similar env vars.
For example, the Encryptable Field plugin:
- Uses
aes-256-cbcencryption.
- Requires a 32‑byte hex string provided via an environment variable
ENCRYPTION_KEY.
You enable it in config/plugins.js:
js
// config/plugins.js
module.exports = {
'encryptable-field': {
enabled: true,
},
};
Then you set ENCRYPTION_KEY in your server environment and .env:
bash
ENCRYPTION_KEY=your-32-byte-hex-key
You generate that key yourself (eg. with Node’s crypto):
bash
node -e "console.log(require('crypto').randomBytes(16).toString('hex'));"
Again, there is no Strapi-provided decryption key — you define it, and that same key is used to decrypt the field values.
4. How to generate “good” keys (APP_KEYS, salts, ENCRYPTION_KEY)
Strapi’s docs and GitHub discussions recommend using tools like OpenSSL or
Node’s crypto to generate secure random keys.
Common patterns mentioned in community examples:
bash
# OpenSSL examples
openssl rand -base64 16
openssl rand -base64 32
openssl rand -base64 48
Often used for:
APP_KEYSAPI_TOKEN_SALTADMIN_JWT_SECRETTRANSFER_TOKEN_SALT
Example snippet from discussion:
bash
# Generate keys
APP_KEYS=$(openssl rand -base64 16),$(openssl rand -base64 16),$(openssl rand -base64 16)
API_TOKEN_SALT=$(openssl rand -base64 16)
ADMIN_JWT_SECRET=$(openssl rand -base64 16)
TRANSFER_TOKEN_SALT=$(openssl rand -base64 16)
# Print results
echo "APP_KEYS=$APP_KEYS"
echo "API_TOKEN_SALT=$API_TOKEN_SALT"
echo "ADMIN_JWT_SECRET=$ADMIN_JWT_SECRET"
echo "TRANSFER_TOKEN_SALT=$TRANSFER_TOKEN_SALT"
For plugin-level encryption keys, a Node one‑liner is common:
bash
node -p "require('crypto').randomBytes(48).toString('base64');"
The big idea:
In Strapi, “decryption keys” are usually env-configured secrets you generate yourself — not something Strapi hands you later.
5. Mini FAQ (forum-style)
Q: I see
.encexport files. Where is the key stored?
A: It isn’t magically stored by Strapi; you provided it duringstrapi export(via prompt or--key) and must reuse that exact string to decrypt.
Q: My API tokens are not viewable after creation. Do I need a decryption key?
A: Yes. Setsecrets.encryptionKeyinconfig/admin.jsand point it toENCRYPTION_KEYin your.env. New projects often have this auto- generated.
Q: Can I “recover” the encryption key if I lost it?
A: Not realistically. You can generate a new key for future use, but old encrypted exports or fields that used the lost key won’t be decryptable.
Q: Are there default keys I can copy from Strapi?
A: Some keys for new projects are auto-generated in.env, but they are unique per project. You shouldn’t reuse someone else’s keys for security reasons.
6. Simple step-by-step: “Where do I get the decryption key in Strapi?”
- Identify your context
- Admin/API tokens,
strapi export, or plugin fields?
- Admin/API tokens,
- Check your
.envfile- Look for
ENCRYPTION_KEY,APP_KEYS,API_TOKEN_SALT,ADMIN_JWT_SECRET, etc.
- Look for
- If missing, generate a strong key
- Use
openssl rand -base64 32or a Nodecryptocommand, then add it to.env.
- Use
- Wire it into Strapi config
- Admin: set
secrets.encryptionKey: env('ENCRYPTION_KEY')inconfig/admin.js.
- Admin: set
* Plugin: follow plugin docs, usually via `ENCRYPTION_KEY`.
* Export: pass the key explicitly via `strapi export --key "your-key"`.
- Keep the key safe
- Use your infrastructure’s secret manager and avoid committing keys to Git. Strapi’s security guide encourages good key hygiene.
Mini storytelling example (to make it concrete)
Imagine you ran strapi export, got a backup.enc file, and now you can’t
remember the key. You dig into your .env expecting a magic “decryption key”
value but find nothing special, just APP_KEYS and some salts. In this
situation, there is no hidden Strapi key you can “get” — the decryption key is
exactly the string you typed or passed when you did the export. If that string
is gone, the encrypted backup is effectively locked forever. Next time, you
define a strong key in .env, reference it in your backup script, and store
it in a secret manager so you never have to ask “where do I get the decryption
key?” again.
SEO bits (for your post)
- Focus keyword: where do I get the decrytion key strapi
- Meta description suggestion:
Learn where Strapi “decryption keys” really live — admin encryption keys, export keys, and plugin secrets — and how to generate and configure them safely in your project.
Information gathered from public forums or data available on the internet and portrayed here.