# gene/module-encryption-key-manager > Gene encryption key manager `composer require gene/module-encryption-key-manager` Canonical URL: https://packagento.com/gene/module-encryption-key-manager ## At a glance - **Vendor**: gene (https://packagento.com/gene.md) - **Latest version**: 0.0.17-alpha — released 2025-04-25 - **Pricing**: Free - **Package type**: Magento 2 module - **Status**: active, accepting new buyers ## Installation Packagento is licence-gated, so even free packages need a licence on a project before Composer can resolve them. 1. **Sign in or create an account** at https://packagento.com/customer/account/. 2. **Add the package to your account.** Open https://packagento.com/gene/module-encryption-key-manager and complete the free checkout. A licence is minted automatically. 3. **Create or pick a project, then activate the licence on it.** - Projects represent the Magento installs you deploy to. Manage them at https://packagento.com/projects/. - Activate the new licence on the project you'll deploy this package to. Activation is what generates the Composer credentials scoped to that project. 4. **Add the project credentials to your Magento codebase.** Grab the project's public + private key from https://packagento.com/projects/ (open the project, then its Credentials tab), and add them to `auth.json`: ```json { "http-basic": { "packagento.com": { "username": "ppk_live_...", "password": "psk_live_..." } } } ``` Add the Packagento Composer repository to `composer.json`: ```json { "repositories": [ { "type": "composer", "url": "https://packagento.com" } ] } ``` 5. **Install and apply.** ```bash composer require gene/module-encryption-key-manager:* bin/magento setup:upgrade bin/magento setup:di:compile bin/magento cache:flush ``` ## What it does Gene encryption key manager ## README [![](https://circleci.com/gh/genecommerce/module-encryption-key-manager.svg?style=svg)](https://circleci.com/gh/genecommerce/module-encryption-key-manager) This module was built to aid with https://sansec.io/research/cosmicsting-hitting-major-stores From the sansec post > Upgrading is Insufficient > As we warned in our earlier article, it is crucial for merchants to upgrade or apply the official isolated fix. At this stage however, just patching for the CosmicSting vulnerability is likely to be insufficient. > >The stolen encryption key still allows attackers to generate web tokens even after upgrading. Merchants that are currently still vulnerable should consider their encryption key as compromised. Adobe offers functionality out of the box to change the encryption key while also re-encrypting existing secrets. > >Important note: generating a new encryption key using this functionality does not invalidate the old key. We recommend manually updating the old key in app/etc/env.php to a new value rather than removing it. Even with your store secured, there is the chance that a JWT was issued and may still be valid. Merchants are strongly encouraged to rotate their encryption key to be safe, and the Magento process of generating a new encryption key does not actually invalidate the old one. This module is provided as-is without any warranty. Test this on your local instances, then staging, then production. Use at your own risk. This module **does not conflict** with the [new hotfix](https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102?#hotfix) released by Adobe. Both this module and that hotfix improve security in the same way, by making `SecretBasedJwksFactory` use the most recent key. This module also provides additional tooling and improvements, please read below. ## Installation ``` composer require gene/module-encryption-key-manager bin/magento setup:upgrade ``` ## How to Rotate your key and protect your store This is a rough list of steps that should be followed to prevent attacks with CosmicSting. Please read all of the steps carefully to understand the features this module provides, as well as the points of risk. ### Generate a new Key and prevent old ones from being used for JWT This should be every merchant's **priority!** Install this module and generate a new key with: `php bin/magento gene:encryption-key-manager:generate [--key=MY_32_CHAR_CRYPT_KEY] [--skip-saved-credit-cards]` This will force the JWT factory to use the newly generated key. Other areas of the application may continue to use the old keys. This step is the absolute priority and will help prevent attacks with CosmicSting. - Use the `--key` option to manually define the new key to use during re-encryption. If no custom key is provided, a new key will be generated. - Use the `--skip-saved-credit-cards` flag to skip re-encrypting the `sales_order_payment` `cc_number_enc` data. This table can be very large, and many stores will have no data saved in this column. ### Fully rotate your old keys You can take your time to do the following. You are safe from cosmicsting provided you have installed the [isolated patches](https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102#isolated-patch-details) and used this module to generate a new encryption key. Then you are free to decide if you wish to re-encrypt your old data, and then invalidate your old key. 1. **Review your database** (make sure zgrep is on version 1.12) for any tables with encrypted values. Make sure your dump is `--human-readable` (magerun) or `--extended-insert=FALSE` (mysqldump) so that all values are on the same line as the `INSERT INTO` ```bash $ zgrep -P "VALUES\s*\(.*\d:\d:...*'" database.sql | awk '{print $3}' | uniq admin_user core_config_data customer_entity oauth_token oauth_consumer tfa_user_config admin_adobe_ims_webapi adobe_user_profile ``` Or to get a overview of all found tables with amount of records: ```bash zgrep -P "VALUES\s*\(.*\d:\d:...*'" database.sql | awk '{print $3}' | sort | uniq -c ``` _(README truncated for .md surface. Full README on https://packagento.com/gene/module-encryption-key-manager.)_ ## Recent Versions | Version | Released | |---|---| | 0.0.17-alpha | 2025-04-25 | | 0.0.16-alpha | 2025-03-12 | | 0.0.15-alpha | 2024-08-13 | | 0.0.14-alpha-p1 | 2024-08-13 | | 0.0.14-alpha | 2024-08-02 | | 0.0.13-alpha | 2024-07-31 | | 0.0.12-alpha | 2024-07-26 | | 0.0.11-alpha | 2024-07-25 | | 0.0.10-alpha | 2024-07-24 | | 0.0.9-alpha | 2024-07-22 | Showing 10 of 18 versions. Full release history on https://packagento.com/gene/module-encryption-key-manager. ## Dependencies ### Require | Package | Constraint | |---|---| | magento/module-catalog | * | | magento/module-encryption-key | * | | magento/module-jwt-user-token | * | | php | ^8.1\|\|^8.2\|\|^8.3\|^8.4 | ## Quality Latest release (0.0.17-alpha) fails the Packagento QA pipeline. Verdicts below are per-cell (Magento line × PHP version) for the matrixed tools, and run-once for the static / security tiers. ### Compatibility Each Magento line is installed on its supported PHP versions, then the module is built (DI compile + static-content deploy). Cells show passed / failed / untested; staircase gaps render as `–`. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | Pass | Pass | – | – | | 2.4.8 | – | Pass | Pass | – | | 2.4.9 | – | – | Pass | Pass | ### Code Quality Advisory checks against the module's source. Never affect the Compatibility verdict — a phpcs finding can't make a module incompatible. #### Static Analysis Coding standards (phpcs), mess detection (phpmd), copy-pasted code (cpd), PHP cross-version compatibility, composer.json validity. Each runs once for the whole module. | Tool | Status | Findings | Summary | |---|---|---|---| | PHPCS | Fail | 59 | 3 errors, 56 warnings (ruleset: Magento2) | | PHPMD | Fail | 16 | 16 rule violations (MissingImport:10, CyclomaticComplexity:1, NPathComplexity:1, ExcessiveMethodLength:1, UndefinedVariable:1) | | Cpd | Pass | 0 | | | Composer validate | Info | 4 | valid; 4 advisory notes (composer validate --strict) | #### PHPStan Type-checks the module against a real Magento install. Re-runs per Magento + PHP version because resolvable symbols differ between releases. | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | 23 | 23 | – | – | | 2.4.8 | – | 23 | 23 | – | | 2.4.9 | – | – | 23 | 23 | ### Tests Unit and integration suites run per Magento + PHP cell. Test failures speak to the module's behaviour, not its compatibility with a line, so they're reported here separately. #### Unit Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | #### Integration Tests | Magento | PHP 8.2 | PHP 8.3 | PHP 8.4 | PHP 8.5 | |---|---|---|---|---| | 2.4.7 | N/A | N/A | – | – | | 2.4.8 | – | N/A | N/A | – | | 2.4.9 | – | – | N/A | N/A | ### Security Dependency-advisory audit (composer audit) plus a source malware scan. A malware detection fails the version outright. | Tool | Status | Findings | Summary | |---|---|---|---| | Composer audit | Pass | 0 | | ## Licence and pricing Free. A licence is still minted on checkout and bound to your project for Composer access — no payment step. Refundable within 14 days of first purchase via https://packagento.com/account/refunds/. ## Install via Claude Code or any MCP client The Packagento MCP server can run the licence + project + Composer steps above in one tool call: ``` purchase_and_install_packages( composer_names=["gene/module-encryption-key-manager"], project_id="proj_xxx" ) ``` This handles cart, checkout, licence minting, project activation, and writes auth.json credentials. Connect a client with `claude mcp add packagento https://mcp.packagento.com`. Full setup at https://packagento.com/docs/mcp-setup. ## Vendor gene is a Magento 2 vendor on Packagento. See https://packagento.com/gene.md for their full catalogue.