Migrating auto-generated encryptionKey from config file to N8N_ENCRYPTION_KEY environment variable resets instance

JulienDelRio · March 8, 2026, 11:15am

Describe the problem/error/question

I have a self-hosted n8n instance running for several months on a Synology NAS via Docker Compose. The encryption key was auto-generated at first launch and stored in the /home/node/.n8n/config file.

I want to explicitly set N8N_ENCRYPTION_KEY as an environment variable in my Docker Compose setup, so that I don’t depend solely on the config file. This would make migrations and container recreation safer.

Here’s what I did:

Read the encryptionKey value directly from the config file on the NAS mounted volume:
```
cat /volume1/docker/n8n/config
```
Copied that value into a .env file next to my docker-compose.yml:
```
N8N_ENCRYPTION_KEY=value-from-config
```

Added the variable to my compose:

environment:  N8N_ENCRYPTION_KEY: "${N8N_ENCRYPTION_KEY}"

Restarted with docker compose down then docker compose up -d

After restart, n8n behaved as a fresh install: account creation screen, all workflows and credentials gone.

I immediately removed the N8N_ENCRYPTION_KEY variable from the compose and restarted. n8n picked up the key from the config file again and everything was restored (credentials, workflows, etc.).

What is the error message (if any)?

No error in the logs. n8n simply started as a new instance, ignoring existing data.

Please share your workflow

N/A — this is a configuration issue, not workflow-related.

Share the output returned by the last node

N/A

My questions

Has anyone successfully migrated their encryption key from the auto-generated config file to a Docker Compose environment variable?

If so, what method did you use? Are there known pitfalls (encoding, special characters, .env file format, how n8n behaves when both the environment variable and the config file coexist)?

Any analysis or leads would be appreciated.

Information on your n8n setup

n8n version: 2.7.5
Database: SQLite
n8n EXECUTIONS_PROCESS setting: default
Running n8n via: Docker (docker compose on Synology NAS)
Operating system: Synology DSM 7.x

achamm · March 8, 2026, 11:18am

Hi Welcome! this is almost certainly your .env file mangling special characters in the key, dollar signs and certain characters get interpreted by docker compose during variable substitution. Try putting the key value directly in your compose file instead of going through .env or wrap it in single quotes in the .env file and escape any $ as $$

Anshul_Namdev · March 8, 2026, 11:39am

Hi @JulienDelRio Welcome!
This can be caused by some missed char, consider following these:
First export all your credentials when the instance is working, the commend would be:
n8n export:credentials --all --decrypted --output=/path/to/credentials.json

now set the N8N_ENCRYPTION_KEY in your Docker Compose environment, the key might contain special chars so just wrap them around quotes,

Just now clear the config file , and now once it is cleared, run i mean restart the container and then re import those credentials using this command:
n8n import:credentials --input=/path/to/credentials.json

And i would recommend reading this before all that:

OMGItsDerek · March 8, 2026, 12:09pm

The special characters issue in .env is the most likely culprit here — specifically $ signs and backslashes. Docker Compose does variable substitution on .env values, so if your encryption key contains $, Docker interprets it as the start of a variable expansion and silently mangles it.

Two safe approaches:

Option 1: Set it directly in docker-compose.yml (not .env):

environment:
  - N8N_ENCRYPTION_KEY=your-actual-key-value-here

This bypasses .env substitution entirely.

Option 2: Escape it in .env — wrap the value in single quotes and double any $ as $$:

N8N_ENCRYPTION_KEY='your$$key'

To confirm the key is being passed correctly before you commit, run:

docker compose config

This prints the resolved compose config with substitutions applied — you’ll immediately see if the key is getting mangled.

Also worth verifying: make sure the config file path (/home/node/.n8n/config) is not still being read with a different key value. If both config file and N8N_ENCRYPTION_KEY env var are present, the env var should take precedence — but you can rename or remove the config file temporarily to rule out any conflict.

JulienDelRio · March 8, 2026, 2:16pm

Thank you for all.
It was just the simple quotes.

I set N8N_ENCRYPTION_KEY=’value-from-config’. It’s now working.

I am feeling stupid for not thinking about that…

achamm · March 8, 2026, 5:35pm

Ha, your welcome! We all make mistakes!

system · March 15, 2026, 5:36pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.