Affected products and versions

Adobe Commerce on Cloud, Adobe Commerce on-premises, and Magento Open Source:

  • 2.4.7-p1 and earlier
  • 2.4.6-p6 and earlier
  • 2.4.5-p8 and earlier
  • 2.4.4-p9 and earlier

Isolated Patch for Troubleshooting Encryption key rotation details

Use the following attached patches, depending on your Adobe Commerce/Magento Open Source version:

For version 2.4.7, 2.4.7-p1:

For versions 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6:

For versions 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8:

For versions 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9:

After you install the isolated patch, change the active encryption key with the new CLI command.

NOTE
This new CLI command will trigger a cache clean upon execution.
  1. This new command should be executed on the environment that contains your app/etc/env.php file for the key that you want to update.

  2. Confirm that the new command exists:

    bin/magento list | grep encryption:key:change
    

    You should see the following output:

    encryption:key:change Change the encryption key inside the env.php file.
    
  3. Change the encryption key:

    bin/magento encryption:key:change
    
  4. If you have executed this command on your production system, no further action should be required.
    If you have run this on a development system, you must get this change into your production system as you would normally deploy sensitive configuration settings.

Update the encryption key using environmental variables instead of using the isolated patch

As an alternative to the section above, these steps will allow you to add a new encryption key while preserving your existing encrypted data, even if you are currently using the default app/etc/env.php.
This section applies to Adobe Commerce on Cloud and Cloud Starter, but also applies to Adobe Commerce on-premises, although the exact steps and locations of the variables will be dependent on your infrastructure.

Collect your current value

  • If you are already managing your keys with environment variables, it may be in several possible locations, but most likely it will be in the CRYPT_KEY variable as described in the documentation.
  • If you are not using variables, the encryption key will be in app/etc/env.php within the crypt/key data key.

In either case, it may be a multiline value and contain multiple random lines of data.

Generate a new value for 2.4.7x versions

Encryption keys are 32 bytes of random data which are encoded with base64 and prefixed with base64.
To generate a new key:

  1. Using the tool of your choice, generate 32 random bytes of data encoded with base64. For example, using the OpenSSL CLI, you can run openssl rand -base64 32, but any trustworthy cryptographically random generation tool may be used.

  2. Prefix that value with base64. For example, if the openssl command output ABC123, the value would become: base64ABC123

  3. Append the generated value to your existing value that you collected above. For example, if your existing value is base64HelloWorld, your new value would become:

    base64HelloWorld
    base64ABC123
    

Generate a new value for 2.4.6x and earlier versions

Encryption keys on 2.4.6x and earlier versions are 16 bytes of random data in a hex-encoded format.
To generate a new key:

  1. Using the tool of your choice, generate 16 random bytes of data. For example, using the OpenSSL CLI, you can run openssl rand -hex 16, but any trustworthy cryptographically random generation tool may be used.

  2. Append the generated value to your existing value that you collected above. For example, if your existing value is abc123, and your random value from the previous step is 456def, your new value would become:

    abc123
    456def
    

Add a new environment variable

Use the Cloud Console or magento-cloud CLI to set the env:MAGENTO_DC_CRYPT__KEY environment variable to this new value.

NOTE
Be advised that if you choose to mark the variable as sensitive, you may want to save an external backup of this value, since it will be hidden from all interfaces and only visible to the application.

Upon saving the variable, a redeployment will be triggered automatically which will cause the value to be applied.

Security updates

Related security updates available for Adobe Commerce:

Previous pageSecurity update available for Adobe Commerce - APSB24-61
Next pageSecurity update available for Adobe Commerce - APSB24-40 Revised to include isolated patch for CVE-2024-34102

Commerce


Connect with Experience League at Summit!

Get front-row access to top sessions, hands-on activities, and networking—wherever you are!

Learn more