Handling encryption security on FME Flow ?

The Encryption key usage in backup/restore came out post 2022, so backup in 2022 and restoring in 2024 should not be effected. In later versions, the encryption key is created at install (key part of install process) and accessible via System configuration.

You need this encryption key to be able to open a backup on another FME Flow

The key you download looks like 

and you’ll need to access it when you restore FME application backups

Perhaps best to save it in a corporate password safe… or on the FME FLOW HOST and update you’re internal documentation

Thanks Todd.

This explains my problem.

Do you know, what is the rationale for doing it this way is ? It seems a little counter-intuitive to me.

Say, if one has two or more Flow instances running, and wants to transfer the setup from one to the other, they both need to be using the same encryption key for this to work. Is this correct ?

Using separate encryption keys bars ever using backup files on other servers, limiting the usability of the backups.

Cheers.

It was introduced based on a security issue that meant that a person who obtained a backup file could see the content of FME Flow as detailed here: https://support.safe.com/hc/en-us/articles/25407539193485-Known-Issue-FME-Flow-Secrets-Encryption-Weakness

But of course, this also means that you don’t want to store them together either.

But yes, I believe that if you are taken backups from two seperate FME Flows, you are going to need to change the destination key to align (via the upload key button). Would be great if someone at Safe could confirm that, but that would be my understanding.

Cheers,

Todd

The way I understand it is like ​@todd_davis points out, so the same encryption key at the time of restore. You can change it afterwards though.