Skip to main content

Celonis Product Documentation

On-prem clients encryption

When connecting the on-prem clients with the Celonis Platform, the IT admin can decide to generate an encryption key to encrypt sensitive data in the installation package.

By default, the encryption key will be stored in the shared folder. But the IT admin can also decide to store the key in a different location.

Generating the encryption key is a part of the on-prem clients installation process. For step-by-step instructions on how to generate the encryption key, see 2. Installing on-prem clients.

This will automatically create the celonis-kms.yml file and encrypt all sensitive data like the application key and the proxy password. The encryption is done using the Advanced Encryption Standard (AES) with a 256-bit key length, integrated through Java's native APIs and combined with Galois/Counter Mode (GCM) for robust encryption.


We recommend generating an encryption key for all customers.