--- title: "Storing Encryption Keys" slug: "storing-encryption-keys" description: "This document explains Encryption keys and how they relate to the Decisions installer. Encryption keys are stored on the application server outside of the database to ensure that the user can access the database securely. Custom data, Passwords, and Connection Strings for Database Integrations, are some of the objects encrypted in the database. " updated: 2025-06-06T13:19:24Z published: 2025-06-06T13:19:24Z --- > ## Documentation Index > Fetch the complete documentation index at: https://documentation.decisions.com/llms.txt > Use this file to discover all available pages before exploring further. # Storing Encryption Keys Do not lose the encryption key, or the data will be unrecoverable.If a pre-existing database is present during the installation, then its encrypted data will only open with the same encrypted key. If lost, the data must be recreated. --- ## Overview **Encryption keys** encrypt sensitive database information such as connection strings for integrations, passwords including AD connection info settings, and any custom, encrypted data structures. Users may restore old encryption keys to allow new installations access to their respective database's secured data. This is recommended when upgrading****or installing a new server in a [**cluster**](https://documentation.decisions.com/v9/docs/setting-a-cluster-server). Encryption keys support the following encryption methods: - [PII Flag](https://documentation.decisions.com/v9/docs/decrypting-pii-data-fields-with-a-report) - [Encryption Flags](https://documentation.decisions.com/v9/docs/data-field-settings#advanced:~:text=256%2Dbit%20AES.-,Encrypt%20Data,-Encrypts%20the%20data) - [SQL Server Encryption](https://docs.microsoft.com/en-us/sql/relational-databases/security/encryption/sql-server-encryption?view=sql-server-ver15) Encryption Keys****are intentionally stored on the **Application****Server**outside the database, so the secured data is not stored next to its key. Keys are stored as **Keys.dat**in the following locations depending on the version: - **v.9 Keys.dat** resides in****C:\Program Files\Decisions\FileStorage\Primary\Settings**** - **v.8****Keys.dat** resides in **C:\Program Files\Decisions\FileStorage\Primary\Settings** - **v.7****Keys.dat** resides in **C:\Program Files\Decisions\Decisions Server\Instances\Control** - **v.6****Keys.dat** resides in **C:\Program Files\Decisions\Decisions Services Manager\Instances\Control** Encryption Keys can be rotated. See [Encryption Key Rotation](https://documentation.decisions.com/docs/encryption-key-rotation) for more information. --- ## Installing With/Without Encryption Keys Multi-Tenant Encryption Keys In [**Multi-Tenant**](https://documentation.decisions.com/v9/docs/about-multi-tenancy) environments, **Keys** cannot be handled by the installer. Instead, they are automatically backed up and stored in a directory called **installerbackup**.  #### New Installation or Upgrade With No Keys Found The installer prompts the **Encryption Keys** screen when installing to a machine with no previous installation passwords or data or to a server with no found encryption keys. The user may enter a previous encryption key file and select **Restore Key File** to locate its respective Kay.dat file and apply it to the installation. If no keys are found, then the database contains no encrypted data**.**The******Keys.dat** file only generates once an encryption event occurs. Upon generating a new encryption key, the Keys.dat file can be found via the **installbackup**folder located via **C:\Program Files\Decisions\installbackup** once installed. The screenshot below represents a new installation's Encryption Keys screen. ![](https://cdn.document360.io/6ef8bcc1-6489-4486-9ad1-83acff7e5df0/Images/Documentation/2022-03-31_14h41_48.png) The screenshot depicts the Encryption Keys window during installation with a pre-existing server without Encryption Keys. ![](https://cdn.document360.io/6ef8bcc1-6489-4486-9ad1-83acff7e5df0/Images/Documentation/2022-03-31_14h42_29.png) ### Upgrade Installation With Keys If configured and saved keys are found during installation, the installer can restore or reuse them without additional action. A different key****file would only need to be used if the found key file is incorrect and thus needs to be replaced. ![](https://cdn.document360.io/6ef8bcc1-6489-4486-9ad1-83acff7e5df0/Images/Documentation/2022-03-31_154200.png) ## Saving Encryption Keys After Uninstalling Key****files are automatically placed in the **installbackup**folder after uninstalling. When reinstalling, the installer will search this directory to recover any key files if there remain no existing keys. ![](https://cdn.document360.io/6ef8bcc1-6489-4486-9ad1-83acff7e5df0/Images/Documentation/2022-03-31_15h08_24.png) --- ## Transferring Keys between Environments If a Key needs to be moved from one environment to another, say with a change between major versions, the steps required will depend on the particular security situation. In lower security settings, moving the key can be as simple as copying it from one file directory to another. In more secure environments, users will need to discuss this with their internal network teams. --- For further information on Installation, visit the [Decisions Forum](https://community.decisions.com/categories/InstallationSetup).