# Creating a Symmetric key

In the **Setup** → **Key Store** section, the **Symmetric Keys** tab allows you to encrypt internal files with a symmetric key.

{% hint style="warning" %}
Encryption is not available for external files!
{% endhint %}

Encryption is managed at the Storage Class level. Files are encrypted with a symmetric key specified in the **Key** tab for the cluster associated with the Storage Class. A Storage Class for each cluster must be configured.

The key will be associated only with the **Storage Class** of the selected cluster – this is the reason why a Storage Class for each Cluster must be set. When configuring the key, specify the **cluster** associated with the Storage Class. The symmetric key will be created or imported into the Trust Store.

Symmetric encryption with **AES format** is supported. The algorithm is a **16-byte key** and keys are managed with the Secure Store in the **Key Store** section.\
Encrypted filenames have an **EAR** (Encryption at rest) **prefix** and a **hash**.\
The file keeps its original dimension when encrypted.

For security reasons, each Customer is responsible for its own keys, which will have to be created for each Cluster.

{% hint style="danger" %}
**Warning!**\
Keys cannot be recovered by Primeur personnel. For this reason, keys and the entire Key Store must be kept secure and never be lost.
{% endhint %}

To **create a Symmetric Key**, follow these steps:

* Click **Setup** → **Key Stores** → **Symmetric Keys** tab.
* In the **Cluster** drop-down list, select a cluster.
* Click the **NEW** button – or the **IMPORT** button to upload an already existing key.

<figure><img src="/files/0lSjWDxUQrCCNzcj2xY3" alt=""><figcaption></figcaption></figure>

* In the **New Symmetric Key** window, enter the KEY NAME, select the KEY SIZE (128, 192, 256: the longer the key, the higher its quality), and the ALGORITHM (at present, only AES is supported).
* Click **Confirm** to create your key, which will be listed in the **Symmetric Keys** tab.

**For security reasons, it is suggested to create a different key for each cluster.**

The created key can now be associated with an **empty Storage class.** VFS and files must NOT be associated with the Storage Class when associating the key – if they are, the menus will be read-only.

To associate the key with an empty Storage Class, follow these steps:

1. Go to **Setup** → **Storage Classes** and edit a Storage Class (or click the **New Storage Class** button).
2. In the new **Clusters** and **Symmetric Keys** drop-down lists, select the Cluster associated with the Storage Class and the symmetric key you have created. Now the Storage Class is associated with the key.

**Note** that if the menus are read-only, some files are already associated with the Storage Class. Remember that it must be empty to associate a Symmetric Key.

3. Click the **Save** button. From now on, all the files in the Storage Class will be encrypted.

{% hint style="warning" %}

* Once a key is associated with the Storage class, it cannot be edited or removed because the files would become unreadable.
* Once a Storage Class is associated with a VFS, with or without files, the key will no longer be editable. If you delete a key referenced from VFS, it cannot be recovered.
  {% endhint %}

In the **Storage Class** window, the new **Clusters** and **Symmetric keys** menus are read-only if the Storage Class is already associated with a VFS or with files. This is a common scenario with Customers where Storage Classes are already defined.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.primeur.com/data-mover-1.21/security/key-stores-and-trust-stores/key-store/creating-a-symmetric-key.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.