You don’t “get” the Strapi decryption key from Strapi itself — you define and manage it yourself via configuration or environment variables.

Below is a friendly walkthrough tailored to the kind of “where do I find this key?” confusion that often pops up in forum discussions about Strapi.

Quick Scoop: What “decryption key” means in Strapi

When people ask “where do I get the decryption key in Strapi?” , they’re usually referring to one of these:

  • The admin encryption key used to encrypt/decrypt API tokens in the admin panel.
  • The export data encryption key used with strapi export when you encrypt your backup files.
  • A plugin-specific encryption key , e.g. a plugin like “encryptable-field” that stores sensitive fields encrypted.

In all those cases, you don’t download the key from Strapi — you create it (or let Strapi auto‑create it) and store it in your config or .env file.

1. Admin panel / API token decryption key

What this key is

Strapi can encrypt API token values and make them viewable later in the admin panel if an encryption key is configured.

That key lives in your admin config under secrets.encryptionKey.

Where to set or find it

In a Strapi 4/5 project, look at config/admin.js (or config/admin.ts):

js

// config/admin.js
module.exports = ({ env }) => ({
  // other config parameters
  secrets: {
    encryptionKey: env('ENCRYPTION_KEY'),
  },
});

Key points:

  • The actual decryption/encryption key value comes from the ENCRYPTION_KEY environment variable.
  • In new Strapi projects , Strapi can auto‑generate this key for you, so you might already have it in your .env.
  • If you don’t set admin.secrets.encryptionKey, tokens are still usable, but they are only shown once and not viewable later.

So if you’re asking “where do I get the decryption key?”, in this context the answer is:

Check your .env for ENCRYPTION_KEY, or define one yourself and reference it in config/admin.js.

2. Encryption key for strapi export (.enc backup files)

Strapi’s strapi export command can encrypt your exported data using aes-128-ecb and save it as .enc files.

How the key works

  • When you run strapi export, it can prompt you for an encryption key or you can pass it with -k / --key.
  • That key is just a string you choose; there’s no minimum length, but a strong key is recommended.
  • The same key is required later to decrypt the .enc file, so you must remember or store it safely.

Essentially:

  • You provide the key when exporting.
  • There is no hidden Strapi “master key” you can fetch later.
  • If you lose that key, you cannot decrypt that encrypted export.

Example usage:

bash

strapi export --key "my-strong-secret-key"

If you do not want encryption at all:

bash

strapi export --no-encrypt

3. Plugin-level encryption keys (e.g. encryptable fields)

Some Strapi plugins introduce their own encryption logic, and they require their own key, commonly via ENCRYPTION_KEY or similar env vars.

For example, the Encryptable Field plugin:

  • Uses aes-256-cbc encryption.
  • Requires a 32‑byte hex string provided via an environment variable ENCRYPTION_KEY.

You enable it in config/plugins.js:

js

// config/plugins.js
module.exports = {
  'encryptable-field': {
    enabled: true,
  },
};

Then you set ENCRYPTION_KEY in your server environment and .env:

bash

ENCRYPTION_KEY=your-32-byte-hex-key

You generate that key yourself (eg. with Node’s crypto):

bash

node -e "console.log(require('crypto').randomBytes(16).toString('hex'));"

Again, there is no Strapi-provided decryption key — you define it, and that same key is used to decrypt the field values.

4. How to generate “good” keys (APP_KEYS, salts, ENCRYPTION_KEY)

Strapi’s docs and GitHub discussions recommend using tools like OpenSSL or Node’s crypto to generate secure random keys.

Common patterns mentioned in community examples:

bash

# OpenSSL examples
openssl rand -base64 16
openssl rand -base64 32
openssl rand -base64 48

Often used for:

  • APP_KEYS
  • API_TOKEN_SALT
  • ADMIN_JWT_SECRET
  • TRANSFER_TOKEN_SALT

Example snippet from discussion:

bash

# Generate keys
APP_KEYS=$(openssl rand -base64 16),$(openssl rand -base64 16),$(openssl rand -base64 16)
API_TOKEN_SALT=$(openssl rand -base64 16)
ADMIN_JWT_SECRET=$(openssl rand -base64 16)
TRANSFER_TOKEN_SALT=$(openssl rand -base64 16)

# Print results
echo "APP_KEYS=$APP_KEYS"
echo "API_TOKEN_SALT=$API_TOKEN_SALT"
echo "ADMIN_JWT_SECRET=$ADMIN_JWT_SECRET"
echo "TRANSFER_TOKEN_SALT=$TRANSFER_TOKEN_SALT"

For plugin-level encryption keys, a Node one‑liner is common:

bash

node -p "require('crypto').randomBytes(48).toString('base64');"

The big idea:

In Strapi, “decryption keys” are usually env-configured secrets you generate yourself — not something Strapi hands you later.

5. Mini FAQ (forum-style)

Q: I see.enc export files. Where is the key stored?
A: It isn’t magically stored by Strapi; you provided it during strapi export (via prompt or --key) and must reuse that exact string to decrypt.

Q: My API tokens are not viewable after creation. Do I need a decryption key?
A: Yes. Set secrets.encryptionKey in config/admin.js and point it to ENCRYPTION_KEY in your .env. New projects often have this auto- generated.

Q: Can I “recover” the encryption key if I lost it?
A: Not realistically. You can generate a new key for future use, but old encrypted exports or fields that used the lost key won’t be decryptable.

Q: Are there default keys I can copy from Strapi?
A: Some keys for new projects are auto-generated in .env, but they are unique per project. You shouldn’t reuse someone else’s keys for security reasons.

6. Simple step-by-step: “Where do I get the decryption key in Strapi?”

  1. Identify your context
    • Admin/API tokens, strapi export, or plugin fields?
  2. Check your.env file
    • Look for ENCRYPTION_KEY, APP_KEYS, API_TOKEN_SALT, ADMIN_JWT_SECRET, etc.
  1. If missing, generate a strong key
    • Use openssl rand -base64 32 or a Node crypto command, then add it to .env.
  1. Wire it into Strapi config
    • Admin: set secrets.encryptionKey: env('ENCRYPTION_KEY') in config/admin.js.
 * Plugin: follow plugin docs, usually via `ENCRYPTION_KEY`.
 * Export: pass the key explicitly via `strapi export --key "your-key"`.
  1. Keep the key safe
    • Use your infrastructure’s secret manager and avoid committing keys to Git. Strapi’s security guide encourages good key hygiene.

Mini storytelling example (to make it concrete)

Imagine you ran strapi export, got a backup.enc file, and now you can’t remember the key. You dig into your .env expecting a magic “decryption key” value but find nothing special, just APP_KEYS and some salts. In this situation, there is no hidden Strapi key you can “get” — the decryption key is exactly the string you typed or passed when you did the export. If that string is gone, the encrypted backup is effectively locked forever. Next time, you define a strong key in .env, reference it in your backup script, and store it in a secret manager so you never have to ask “where do I get the decryption key?” again.

SEO bits (for your post)

  • Focus keyword: where do I get the decrytion key strapi
  • Meta description suggestion:

Learn where Strapi “decryption keys” really live — admin encryption keys, export keys, and plugin secrets — and how to generate and configure them safely in your project.

Information gathered from public forums or data available on the internet and portrayed here.