Generating a New Encryption Key

CloudFS comes with a temporary encryption certificate that should not be used in production. Creating a new encryption certificate allows you to use your own keys.

To generate a new encryption certificate, you must have a Windows host: Windows XP, Windows 7, Windows 8, Windows 10, or Windows Server OS with the ability to install 2 applications

To generate a new encryption certificate, you must do the following high-level tasks:

1. Check your system type.

2. Download OpenSSL.

3. Install Microsoft Visual C++ Redistributables.

4. Install OpenSSL Light.

5. Generate a new certificate.

To check your system type on a Windows 8 Operating System:

1. Open the Windows 8 Control Panel.

2. Select System and Security within the Control Panel.

3. In the System and Security Window, select System.

4. The system type displays. The system type is either 64-bit or 32-bit.

To check your system type on a Windows 7 Operating System:

1. Select Start > Computer > Properties.

2. The system type displays under System. The system type is either 64-bit or

To check your system type on a Windows XP Operating System:

1. Click Start.

2. Right click on My Computer.

3. Select Properties.

● If you don't see x64 Edition listed, then you're running the 32-bit version of Windows XP.

● If x64 Edition is listed under System, you're running the 64-bit version of Windows XP.

To download OpenSSL:

1. Download OpenSSL at

2. Select Products.

3. Download the latest version of OpenSSL 1.0 (do not download 1.1) for your system type. Both the standard and light versions will work.

To install Microsoft Visual C++ Redistributables:

1. Launch vcredist_x (32 or 64).

2. Accept all default settings by clicking Next.

To install OpenSSL:

1. Launch OpenSSL.

2. Install one of the following into the default directory: C:\OpenSSL-Win64 for 64-bit systems or C:\OpenSSL-Win32 for 32-bit systems.

3. Change the Copy OpenSSL DLL’s to OpenSSL binaries (/bin) directory.

To generate a new key:

Save the following code block as genkey.cmd using WordPad or any other text editor:

@echo off echo

Confirm creation of P12 key named %1


set oldpath=%path%

set path=%path%;C:\OpenSSL-Win64\bin

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

call openssl req -new -keyout %1.key -out %1.csr -newkey rsa:2048

call openssl x509 -req -days 1826 -in %1.csr -signkey %1.key -out %1.crt

call openssl pkcs12 -export -in %1.crt -inkey %1.key -out %1.p12 -name “%1_Panzura_Key”

del %1.csr %1.crt %1.key

set path=%oldpath%

Echo Take note of where you saved the file %1.p12

If you’re using the 32 bit version, change the paths above to “C:\OpenSSL-Win32\bin” from “C:\OpenSSL-Win64\bin”.

Open a cmd prompt and change the directory to where the genkey.cmd is located and do the following:

a. Run the command inside of a directory that you have write access with the name of the certificate as an argument. You cannot use blank spaces in the certificate name. For example:


cd \Users\Peter\Documents

genkey.cmd mycert

b. Enter a passphrase. Note: The export password and passphrase can be the same.

c. Complete the customer information fields.

d. When you get to the extra attributes page, select Enter. Note: You don't need to fill this out.

e. Enter the Export Password. Note: 

mycert.p12 is the file that will be uploaded to the node.