Manage Encryption Keys
- Last Updated: July 29, 2025
- 5 minute read
- MOVEit Transfer
- Version 2022
- Documentation
Manage and rotate org-specific or system-org keys (ORGS tab <org-or-system> - Security Information - Encryption Keys). The feature replaces the key used to initially encrypt your data and applies fresh encryption (on a per-org basis).
As an extra measure of security, the rotate keys feature enables you to refresh the org passphrase (and the key derived from it) (on-demand or as scheduled) and re-encrypt your at-rest filestore. When the file re-encryption work completes with the new key, MOVEit Transfer notifies you by email.
Using the Key Rotation Dashboard, you can:
- Re-encrypt right now, periodically, or apply an appropriate schedule.
- Get help with a time-to-completion estimate.
- Pause and restart the conversion process.
- View history of Org or System-wide encryption key rotation.
- Get reminders on paused or pending rotations.
- Get alerts and reports on completed rotations.
Org and Sys-Org Key Rotation Guide
The Key Rotation feature guides you through steps needed to apply new encryption keys. It returns a time-to-completion summary to help you determine the best period to begin the re-encryption process. When the re-encryption work completes, MOVEit Transfer notifies you by email.
Key Rotation Guide (time-to-complete shown)
Rotate Org Key, Sys-Org Key (or both)
For an extra measure of security, you can rotate keys regularly or as site conditions require. The rotate keys feature enables you to refresh the passphrase and key derived from it, which is used to encrypt your at-rest filestore.
You must be signed-on as SysAdmin to apply these settings.
Scope of Encryption... |
Location in WebUI... |
What's Encrypted... |
|---|---|---|
Any Licensed Organization |
ORGS > <org-name> - Security Information - Encryption Keys |
User and file information associated with a particular MOVEit Transfer Org |
System Organization |
ORGS > System - Security Information - Encryption Keys |
System-level data used by MOVEit Transfer. |
<org-name>View History of Encryption Keys Applied
Encryption Key History is Available on the Org Key Management Page (Org encryption shown)
Pre-check: Click Begin for a Time-to-complete Estimate
Encryption Key Rotation Begins with a Time Estimate
|
Run Now, Schedule for Later and Pause/Resume at Any Time
You can pause key rotation while it is in-process and resume later when it is more convenient. For example, the host system where MOVEit Transfer is running will use more than its typical share of CPU resources while a key conversion progresses. So, this feature allows you to pause processing during, let's say, a peak download period and then resume once the busy period is over to ensure your users do not perceive system latency. (You can also use the schedule feature for this purpose.)
Pause and Resume
|
Rotate Keys on a Schedule
If you can reliably predict periods when your MOVEit Transfer system will be busiest, you can use the Key Rotation Schedule feature to assign a non-peak period to re-encrypt files.
Rotate Periodically or Schedule for Non-Peak Hours
|
|
To Rotate At-Rest Data Encryption Keys
As a SysAdmin, you can refresh the encryption seed or "key" used to convert MOVEit Transfer system and org-specific data files to a freshly encrypted file store.
The table that follows breaks down the steps needed to apply new encryption keys to your org-specific or system-org data.
Step |
Action... |
Description |
|---|---|---|
1. |
Click Begin Key Rotation Process |
Open a on-line guide that estimates the time it will take to complete re-encryption of your org data using the new key. |
2. |
Estimation |
Review the estimate. Next you can click:
Note: For longer estimates it is best practice to launch the
rotation during non-peak usage periods. |
3. |
Create Passphrase |
Click Continue to accept the estimate and apply a passphrase. Note: Remember to write down and secure
(safeguard) your passphrase. |
4. |
Click Start Now to re-encrypt your data using the new passphrase. —or— Edit/Enable Schedule |
Run now (you can pause at any time) —or— Select and schedule periods when increased CPU utilization associated with re-encryption and key conversion is optimal. |
5. |
Wait for notification. |
Completion notification will be sent to you by way of your SysAdmin configured email. |
What's Next... |
|
Perform Key Rotation
This process enables you to estimate and refresh your orgs at-rest data encryption.
- Click Begin Process.
MOVEit Transfer returns a time estimate and summary of how much data and how many files will be affected. You can run this step multiple times.
- Click continue. Then accept or provide a passcode. Note: Your passcode is a master key and used to derive your encryption key. Make sure you write it down and safeguard it.
- Start Now. Click Start Now to begin the process of re-encrypting your Org files and data using the newly seeded and derived key. (An email will be sent to you once the process completes.)
Encryption Key Performance Notes
During production operations the encryption performance demands on the MOVEit Transfer server are naturally low relative to CPU performance. In other words, items you add to the filestore are encrypted in an on-demand fashion. However, when you re-encrypt a MOVEit Transfer filestore that has been built up with hundreds or thousands of files over time, this large-volume, batched encryption increases CPU workload, possibly for several or more hours. You can mitigate the perceived latency of the system through appropriate scheduling, scale-out, and by notifying your users who might perceive latency when interacting with MOVEit Transfer.
Web Farm Deployment Notes
MOVEit Transfer Web Farm at-rest key rotation works similar to single node key management.
There are a few main differences:
- Only the "primary" node (where you launch the estimate and key conversion) controls the key conversion process.
- Key conversion progress can be tracked from any Web Farm node.