Rotate N8N_ENCRYPTION_KEY

Julien_Haumont · November 27, 2025, 11:47am

Hello
We would like to rotate N8N_ENCRYPTION_KEY in our n8n instances, how it’s possible without losing all our credentials ?

Thanks for your answer

enzpic · November 27, 2025, 12:06pm

Hello,

i found this online : Rotate the n8n encryption key safely and avoid lockouts - LumaDock

hope it helps

logidy · November 27, 2025, 1:51pm

take a look @Julien_Haumont

https://lumadock.com/blog/tutorials/n8n-encryption-key-rotation/

Julien_Haumont · November 27, 2025, 2:37pm

Thanks, I will do this

Julien_Haumont · November 27, 2025, 4:17pm

So, it failed for 2 reasons:

we persist the .n8n folder. So the config file too with the encryption key in it. There is a mismatch between the value in the config file & the env var. I handle it by deleting the file directly in the container.
Error: Mismatching encryption keys. The encryption key in the settings file /home/node/.n8n/config does not match the N8N_ENCRYPTION_KEY env var. Please make sure both keys match. More information: Configuration methods | n8n Docs
we use the externalSecret feature (as we have a paid version) and the credentials of the vault provider are encrypted with… the encription key. So when we restart the service with the new encryption key, it failed to manage these credentials.
External secrets manager failed to initialize, Error: error:1C800064:Provider routines::bad decrypt at Decipheriv.final (node:internal/crypto/cipher:184:29) at Cipher.decrypt (/usr/local/lib/node_modules/n8n/node_modules/.pnpm/n8n-core@file+packages+core_@[email protected]_@[email protected]_08b575bec2313d5d8a4cc75358971443/node_modules/n8n-core/src/encryption/cipher.ts:28:61)

PS : we deploy n8n on k8s

mohamed3nan · November 27, 2025, 5:19pm

This is a nice use case,
AFAIK, you’ll need to export/import credentials with the --decrypted flag as part of the rotation process, and delete /home/node/.n8n/config to force n8n to use the the new N8N_ENCRYPTION_KEY from the environment variable..

Julien_Haumont · November 28, 2025, 5:10pm

Finally, here is the steps I have to follow to successfuly rotate the key

TL;DR : enterprise feature doesn’t handle the ENCRYPTION_KEY rotation

A github issue to track it Issue with enterprise features when rotating ENCRYPTION_KEY · Issue #22478 · n8n-io/n8n · GitHub

Back up the n8n database
Delete settings from the n8n database (to delete the external secret configuration that is blocking the restart, and any other):
delete FROM public.settings where key=‘feature.externalSecrets’ OR key=‘features.sourceControl.sshKeys’;
Open a shell on the n8n pod (on the target environment)
Run the command n8n export:credentials --all --output=/data/credentials.json --decrypted
Delete the n8n config file: rm -f ${HOME}/.n8n/config (because the encryption key is duplicated in this file)
Generate a new key and update the env var
Rollout the pod
Open a shell on the n8n pod (on the target environment)
Run the command n8n import:credentials --input=/data/credentials.json --decrypted
Delete the n8n config file: rm -f /data/credentials.json

system · December 5, 2025, 5:11pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.