Generating a New Encryption Key with the Encryption Key Utility

Passwords and process-to-process communication in Watson™ Explorer Engine are secured with the AES-128-GCM encryption algorithm, which uses 128 bit keys, and OpenSSL. A default encryption key is included when you install Watson Explorer Engine. IBM recommends that you generate a new, unique key after installation for maximum security.

About this task

All of the following in Watson Explorer Engine will be encrypted using this encryption method:
  • All Distributed Indexing communications.
  • All passwords that are used to authenticate to external systems (e.g. the passwords needed for connectors in seeds, for remote push, collaboration features, etc.) will be stored in an encrypted form on disk.
  • Interprocess communication where passwords need to be transmitted.
Note: Indexes remain unencrypted in Watson Explorer Engine.

Additional note regarding security: Beginning with Watson Explorer version, all Watson Explorer user passwords are secured using the scrypt algorithm, which generates one-way cryptographic hashes. These user passwords are stored in users.xml.

Warning: Proceed with caution when generating a new encryption key. This key is used to encrypt and decrypt everything listed above.

  • If this key is stolen, all encrypted data would be at risk. It is strongly recommended that this encryption key be stored in a data vault with proper safeguards.
  • If it were lost, all encrypted passwords would need to be reentered, and all system services would need to be restarted.

Important: You should generate ONE KEY on ONE SERVER and copy it to all other servers. Do not generate multiple keys. If you start using Watson Explorer, and run the utility after that, the encryption key will be replaced - and you risk being unable to decrypt the data encrypted with the original key.


  1. To generate a new encryption key:
    Option Description
    Linux Start a terminal session (xterm, gnome-terminal, or other terminal application) and use the su or sudo -s command to become the root user. Enter <file-path>/generate-key.
    Note: Run generate-key -help if you would like to view additional system information before running the utility. This command does not run the utility. See generate-key to learn more about the generate-key command.
    Windows From a command prompt, run <file-path>\generate-key.exe. This command is located in <install_dir>\Engine\bin.
    Note: Run generate-key.exe -help if you would like to view additional system information before running the utility. This command does not run the utility.
    You will receive this message: "WARNING: An encryption keyfile already exists on disk. Any data encrypted using this key cannot be decrypted after generating a new key." (The encryption keyfile this warning is referring to is the default id_vcrypt key included with Watson Explorer.) Followed by this message: "Please confirm that you wish to continue [Y/N]"
  2. After you enter Y, you will receive the following messages:
    • "The existing keyfile has been backed up to <install_dir>\Engine\data\static\id_vcrypt.bak" (The old encryption key is backed up to this location in the event you accidentally generate a new key and need to restore the old one.)
    • "A new key has been generated and written to <install_dir>\Engine\data\static\id_vcrypt"
  3. Navigate to the id_vcrypt file to verify the key has been generated. (This file is located by default in <install_dir>\Engine\data\static\)
  4. Immediately store a copy of the encryption key in a safe place (such as a data vault) and secure it using your company's best practices. You should also safeguard the key stored in your Watson Explorer installation.
  5. Copy the key to the static directory of all other Watson Explorer servers that have Watson Explorer Engine installed. The default location of this directory is <install_dir>\Engine\data\static\