If you run X-cart 4.x store for more than a year, you would get an annoying reminder to regenerate your Blowfish encryption key:
“Your store’s Blowfish encryption key expired. You should re-generate the Blowfish encryption key to ensure security of sensitive data in your store’s database”
If you just click “regenerate” button and start the process, there is a good change it will screw up all the passwords, payment processing setup and encrypted orders data. Easiest way is just ask us to do this for you – we do this in our clients stores every other day – but if you feel optimistic and do not have anything better to do with your time, here is how to regenerate blowfish key safely:
- Check if you have “mcrypt” support enabled in PHP on your server. To do this, go to Tools -> Summary -> PHP : Details and search for “mcrypt”. You should see a whole section titled “mcrypt” and first line should say : “mcrypt support enabled”
* this is important! do not start process without this. - Backup your database – this is in case you will screw up – database hold your encrypted data
- Backup your config.php file – this is in case you will screw up – this file has current blowfish key which you will need back if you restore database
- Change config.php file permissions to 666 – X-cart will save new blowfish key in there
- Go to Tools -> Maintenance -> Re-generating the Blowfish encryption key
- This process will run from few seconds to several minutes unless your database has hundreds of thousands of customers in which case it will take a bit longer. Do not close your browser or click Back until it’s done!
- After you get “The Blowfish encryption key has been successfully re-generated.” message, logout from control panel and login again to verify your password is still working
- Change config.php file permissions back to 644
If you can not login after blowfish key was regenerated or your customers will complain they can not login, you need to restore the database and config.php file with old key. Do not try to regenerate key again unless you find out why it did not work the first time.
And again, the easiest way is to just ask us to do this for you.