In short, changing your MasterEncryptionKey shouldn't be a problem.

The MasterEncryptionKey is used in only a couple places in 13.3 (cloud storage configuration and remote ETL configurations), where actual passwords must be stored in the database. If you haven't used these features, you haven't encrypted any data.

In addition, if the value is blank or set to the default ("@@masterEncryptionKey@@"), then our encryption code will throw a configuration exception, requiring an administrator to provide an appropriate key.

Once you set the MasterEncryptionKey and encrypt values by configuring the services that use it, subsequently changing the key will be a problem... existing values will be irretrievable.

More details here: https://www.labkey.org/wiki/home/Documentation/page.view?name=cpasxml

Adam

thanks. this seems like a useful feature. i have more recently been using ROOT.xml to store credentials (like LDAP sync); however, I will probably convert our ETLs to use this since they store JDBC strings.

Yes, we considered just adding the remote ETL credentials into labkey/root.xml. This would have been easier, but with additional configurations likely, the admin inconvenience of forcing server restart on every edit plus the global nature of labkey.xml settings (no built-in scoping for user/container) made us lean in favor of building a general purpose encrypted property store.

PropertyManager.getEncryptedStore()

Adam