In order to protect "at rest" LTI secrets stored in the database, Sakai provides a property

lti.encryption.key=some-string-that-you-keep-secret

The string can be a passphrase or something like a UUID. But you do not want to lose it because if you do an export and import or some other copy, you will need this value to unlock the secrets stored in the database.

Until you set this value, the secrets will be unencrypted in the database - and Sakai runs just fine because it can tell the difference between an unencrypted and encrypted secret.

But once you set this value you need to keep it set to the same value or secrets will be lost. If you lose the key, you can simply re-enter any secrets and they will be stored either in plain text or encrypted with the new key.

Note that if you run Sakai for a while without this property set - and then set it later, Sakai does not go back and re-encrypt all of the keys until you add or edit the secrets. So for a while you will have a mix of encrypted and unencrypted secrets in your database. New or edited secrets will be encrypted and old secrets will stay unencrypted.

Note in earlier versions of Sakai, this was called ‘basiclti.encryption.key’ - and that value is treated as an alias for ‘lti.encryption.key’ in the name of upwards compatibility.