> For the complete documentation index, see [llms.txt](https://docs.fortifiedid.se/management-center/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.fortifiedid.se/management-center/operations/encryption.md).

# Encryption

### Windows

First time installation environment data is set for encryption. This resulting in all underlying service will have encryption/decryption.

### Linux

Encryption settings are read from `/etc/systemd/system/frtfd.env`

## Container

Encryption is not enabled by default. This is enabled by setting environment variables:

* FORTIFIED\_SECRETS\_SECRET - The secret used for encryption DO NOT SHARE THIS.
* FORTIFIED\_SECRETS\_KEY\_SIZE - Key size, allowed values are 128 or 256.
* FORTIFIED\_SECRETS\_IMPL=localgcm

### Generating a Secret Key

#### Key Format Requirements

* Encoding: The key must be represented in hexadecimal format (characters 0-9 and a-f).
* Length:
  * A 128-bit key → exactly 32 hexadecimal characters (16 bytes).
  * A 256-bit key → exactly 64 hexadecimal characters (32 bytes).
* Case Sensitivity: Hexadecimal characters may be in lowercase or uppercase, but lowercase is recommended for consistency.
* Character Set: No spaces, line breaks, or additional characters are allowed — the key must be a continuous hex string.
* Entropy: Keys must be generated using a cryptographically secure random number generator (CSPRNG), not predictable sources.

\
Using OpenSSL

The openssl rand command generates cryptographically secure random bytes.

When the -hex flag is used, the output is represented in hexadecimal format.

The number following -hex specifies the number of bytes to generate.

Since each byte is represented by two hexadecimal characters:

* openssl rand -hex 16 → 16 bytes (32 hex characters, 128-bit key)
* openssl rand -hex 32 → 32 bytes (64 hex characters, 256-bit key)

Examples:

```bash
# Generate a 128-bit (16 bytes) key
openssl rand -hex 16

# Generate a 256-bit (32 bytes) key
openssl rand -hex 32
```

***

#### Using PowerShell

In PowerShell, you can use the .NET System.Security.Cryptography.RandomNumberGenerator class to produce the same cryptographically secure random data.<br>

Examples:

```powershell
# Generate a 128-bit (16 bytes) key
[byte[]]$bytes = New-Object byte[] 16
[System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
($bytes | ForEach-Object { $_.ToString("x2") }) -join ""

# Generate a 256-bit (32 bytes) key
[byte[]]$bytes = New-Object byte[] 32
[System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes)
($bytes | ForEach-Object { $_.ToString("x2") }) -join ""  
```

{% hint style="warning" %}
Do not change encryption settings once set. This may cause faulty behaviour.
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.fortifiedid.se/management-center/operations/encryption.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
