Launch a server

Rotate the n8n encryption key safely and avoid lockouts

Learn how to rotate the n8n encryption key without losing credentials. Step-by-step guide for safe updates on VPS deployments.
Vibrant abstract waves in various colors contrast against a black background, forming an eye-catching composition.

One of the easiest ways to lock yourself out of n8n is by mishandling the encryption key. If you’ve ever opened your workflows after a restart and seen all credentials turn red, you know what I’m talking about.

In this article, I’ll explain what the n8n encryption key actually does, why it matters for production deployments, and how to rotate it properly without losing access to your stored secrets.

What is the n8n encryption key?

When you save credentials in n8n (API tokens, passwords, database logins) they’re encrypted before being stored in the database. The N8N_ENCRYPTION_KEY environment variable holds the key that locks and unlocks those secrets.

If you change or lose this key, n8n can’t decrypt the stored values anymore. The credentials are still in the database, but they’re unreadable and useless.

This is why the encryption key is a critical part of any production setup. Losing it means starting over with all integrations and re-entering every single credential.

When should you rotate the key?

Rotating encryption keys is a best practice in security. Situations where you may need to rotate include:

  • Security audits that require regular key rotation
  • Possible compromise of your .env file or VPS access
  • Migrating n8n from a test server to production
  • Aligning with compliance standards like ISO 27001 or GDPR

If none of these apply, you don’t need to rotate often. But when you do, you need a plan.

How to generate a strong encryption key

The key needs to be a 32-byte random string. You can generate one with:

openssl rand -hex 32

Or in Node.js:

node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Save this value somewhere safe — a password manager or secret vault.

Safe rotation procedure

Here’s the process I follow when rotating N8N_ENCRYPTION_KEY:

Step 1: Back up everything

  • Take a full VPS snapshot.
  • Dump your Postgres database (pg_dump n8n > backup.sql).
  • Export your workflows from the n8n editor as an extra safety net.

See our backups and disaster recovery guide if you need details.

Step 2: Export current credentials

Run:

n8n export:credentials --all --output=credentials.json

This gives you a JSON file with all credentials decrypted using the current key.

Step 3: Stop n8n

docker compose down

Or stop the systemd service if you run it directly.

Step 4: Set the new key

Update your .env or docker-compose.yml with the new value:

N8N_ENCRYPTION_KEY=new32bytehexstring

Step 5: Re-import credentials

Start n8n with the new key:

docker compose up -d

Then re-import credentials:

n8n import:credentials --input=credentials.json

Now they’re encrypted again with the new key.

Step 6: Verify

  • Log in to the editor.
  • Test key integrations like Slack, Stripe, or Postgres.
  • If something fails, restore from your backup.

Common pitfalls to avoid

  • Forgetting to back up: Without a backup, you’re gambling. If anything breaks, you’ll be stuck re-creating everything.
  • Changing the key without export: This is the fastest way to lose all credentials.
  • Not testing after rotation: Always run a few workflows immediately to confirm.
  • Storing the key in plain text: Use a secrets manager if possible. At minimum, keep .env files out of version control.

Best practices for key management

  • Store keys in tools like HashiCorp Vault, AWS Secrets Manager, or GCP Secret Manager.
  • Rotate keys every 6–12 months if required by compliance.
  • Never share the key outside your operations team.
  • Document the rotation procedure in your runbook.

FAQ

What happens if I lose my encryption key?

You won’t be able to decrypt any stored credentials. The only fix is re-entering them manually or restoring from a backup.

Can I rotate without downtime?

Not really. The safest way is to stop n8n, export, rotate, then re-import. The downtime is short if you plan ahead.

Does queue mode affect this?

No, all workers use the same database and must share the same key. Just make sure every instance is updated at the same time.

Should I version control the key?

Never. The encryption key should live only in your secret storage system or .env files secured on the server.

Rotating the n8n encryption key isn’t something you’ll do often, but when the time comes it’s worth doing carefully. One misstep and you lose every stored credential.

If you’d rather not handle these details yourself, you can deploy on a managed n8n VPS that includes backups and rollback options – making key management far less stressful.

Let’s make your idea happen!

Join thousands of developers who trust us to power their projects – on hardware we own, with 24/7 in-house support. Enjoy NVMe speed, unmetered bandwidth, and a 30-day money-back guarantee.

Launch your server

LumaDock offers fast, affordable VPS hosting for developers, businesses, and gamers, including GPU and Game Server Hosting, powered by NVMe storage and AMD EPYC.

LumaDock is a LifeinCloud LTD brand. London W1S 1HN, United Kingdom, registered in England and Wales, company No. 15844051

Linkedin Instagram Facebook X-twitter

Copyright © 2025 LumaDock | VPS hosting. All Rights Reserved.