Changing the encryption key will cause the current shared secrets to become invalid. There is no migration between keys and it is recommended for the Administrator to reset ALL user 2FA Configuration through the "2FA Users" administration screen.

By default, most Java implementations restrict AES key length to 128 bytes in length. This can be modified by installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files at http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html (if available for your Jurisdiction).

By default, the Two Factor Authentication app encrypts the TOTP shared secret key in the database using a default AES 128 bit encryption key. The default encryption key can be changed but the local administrator by placing a file in the home directory of the host application(Bitbucket Server) and naming it /wittified.2fa-encryption. The file should be contain the new encryption key (without any extra content). Once this is done, the app automatically starts to use the new encryption key. The key should be expressed in hexadecimal format and in appropriate length(16, 24, 32 pre-hex length). For example ways of generating new keys, see below.

Generate a new key

To generate a new key, you can execute the following command on linux:

128 bits

openssl rand 16 -hex

192 bits

openssl rand 24 -hex

256 bits

openssl rand 32 -hex