Skip to main content

Kofax TotalAgility - Encrypting and Decrypting the KTA executables KTA config files

Applies To 

  • TotalAgility 7.6
  • TotalAgility 7.7
  • TotalAgility 7.8


The goal here is to encrypt the connection strings in the KTA executables configuration files such as Agility.Server.Core.WorkerService.exe.config, Kofax.CEBPM.CPUServer.ServiceHost.exe.config, etc.

Note: These steps don't work for the KTA web.confg.  For instructions on how to do this, see article here


Start by backing up the current executable config file.

Add the below section to the config file just above the </configuration> closing tag.

        <add useMachineProtection="true" name="DPAPIProtection" type="System.Configuration.DpapiProtectedConfigurationProvider, System.Configuration, Version=, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Copy the Kofax.CEBPM.EncryptConfig.exe into the same folder as the config file.  This utility can be found in the installation files in the Utilities folder.

Run command prompt as an administrator and change the location to directory of the config file we are going to encrypt.  For example below.

cd C:\Program Files\Kofax\TotalAgility\CoreWorkerService

Finally, run the below command.  This will encrypt the appSettings section of the config file that holds the connection strings

Kofax.CEBPM.EncryptConfig.exe -f Agility.Server.Core.WorkerService.exe.config -s "appSettings" -p DPAPIProtection -enc

To decrypt the appSettings section, the below command can be used.

Kofax.CEBPM.EncryptConfig.exe -f Agility.Server.Core.WorkerService.exe.config -s "appSettings" -p DPAPIProtection -dec