diff --git a/app/MindWork AI Studio/Assistants/I18N/allTexts.lua b/app/MindWork AI Studio/Assistants/I18N/allTexts.lua
index ee6f8403..7b844c06 100644
--- a/app/MindWork AI Studio/Assistants/I18N/allTexts.lua	
+++ b/app/MindWork AI Studio/Assistants/I18N/allTexts.lua	
@@ -2068,6 +2068,9 @@ UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T1666052109"]
 -- Select a transcription provider for transcribing your voice. Without a selected provider, dictation and transcription features will be disabled.
 UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T1834486728"] = "Select a transcription provider for transcribing your voice. Without a selected provider, dictation and transcription features will be disabled."
 
+-- Generate encryption secret and copy to clipboard
+UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T1849391976"] = "Generate encryption secret and copy to clipboard"
+
 -- Select the language behavior for the app. The default is to use the system language. You might want to choose a language manually?
 UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T186780842"] = "Select the language behavior for the app. The default is to use the system language. You might want to choose a language manually?"
 
@@ -2089,6 +2092,9 @@ UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T2143741496"]
 -- Disable dictation and transcription
 UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T215381891"] = "Disable dictation and transcription"
 
+-- Enterprise Administration
+UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T2277116008"] = "Enterprise Administration"
+
 -- Language behavior
 UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T2341504363"] = "Language behavior"
 
@@ -2110,6 +2116,9 @@ UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T3165555978"]
 -- App Options
 UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T3577148634"] = "App Options"
 
+-- Generate a 256-bit encryption secret for encrypting API keys in configuration plugins. Deploy this secret to client machines via Group Policy (Windows Registry) or environment variables. Providers can then be exported with encrypted API keys using the export buttons in the provider settings.
+UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T362833"] = "Generate a 256-bit encryption secret for encrypting API keys in configuration plugins. Deploy this secret to client machines via Group Policy (Windows Registry) or environment variables. Providers can then be exported with encrypted API keys using the export buttons in the provider settings."
+
 -- When enabled, streamed content from the AI is updated once every third second. When disabled, streamed content will be updated as soon as it is available.
 UI_TEXT_CONTENT["AISTUDIO::COMPONENTS::SETTINGS::SETTINGSPANELAPP::T3652888444"] = "When enabled, streamed content from the AI is updated once every third second. When disabled, streamed content will be updated as soon as it is available."
 
diff --git a/app/MindWork AI Studio/Components/Settings/SettingsPanelApp.razor b/app/MindWork AI Studio/Components/Settings/SettingsPanelApp.razor
index 7e5f67e8..98e07a09 100644
--- a/app/MindWork AI Studio/Components/Settings/SettingsPanelApp.razor	
+++ b/app/MindWork AI Studio/Components/Settings/SettingsPanelApp.razor	
@@ -37,4 +37,22 @@
         <ConfigurationSelect OptionDescription="@T("Select a transcription provider")" SelectedValue="@(() => this.SettingsManager.ConfigurationData.App.UseTranscriptionProvider)" Data="@this.GetFilteredTranscriptionProviders()" SelectionUpdate="@(selectedValue => this.SettingsManager.ConfigurationData.App.UseTranscriptionProvider = selectedValue)" OptionHelp="@T("Select a transcription provider for transcribing your voice. Without a selected provider, dictation and transcription features will be disabled.")" IsLocked="() => ManagedConfiguration.TryGet(x => x.App, x => x.UseTranscriptionProvider, out var meta) && meta.IsLocked"/>
         <ConfigurationShortcut ShortcutId="Shortcut.VOICE_RECORDING_TOGGLE" OptionDescription="@T("Voice recording shortcut")" Shortcut="@(() => this.SettingsManager.ConfigurationData.App.ShortcutVoiceRecording)" ShortcutUpdate="@(shortcut => this.SettingsManager.ConfigurationData.App.ShortcutVoiceRecording = shortcut)" OptionHelp="@T("The global keyboard shortcut for toggling voice recording. This shortcut works system-wide, even when the app is not focused.")" IsLocked="() => ManagedConfiguration.TryGet(x => x.App, x => x.ShortcutVoiceRecording, out var meta) && meta.IsLocked"/>
     }
+
+    @if (this.SettingsManager.ConfigurationData.App.ShowAdminSettings)
+    {
+        <MudText Typo="Typo.h5" Class="mt-6 mb-3">
+            @T("Enterprise Administration")
+        </MudText>
+
+        <MudText Typo="Typo.body2" Class="mb-3">
+            @T("Generate a 256-bit encryption secret for encrypting API keys in configuration plugins. Deploy this secret to client machines via Group Policy (Windows Registry) or environment variables. Providers can then be exported with encrypted API keys using the export buttons in the provider settings.")
+        </MudText>
+
+        <MudButton StartIcon="@Icons.Material.Filled.Key"
+                   Variant="Variant.Filled"
+                   Color="Color.Primary"
+                   OnClick="@this.GenerateEncryptionSecret">
+            @T("Generate an encryption secret and copy it to the clipboard")
+        </MudButton>
+    }
 </ExpansionPanel>
diff --git a/app/MindWork AI Studio/Components/Settings/SettingsPanelApp.razor.cs b/app/MindWork AI Studio/Components/Settings/SettingsPanelApp.razor.cs
index 2fbb61ed..81c2b7e5 100644
--- a/app/MindWork AI Studio/Components/Settings/SettingsPanelApp.razor.cs	
+++ b/app/MindWork AI Studio/Components/Settings/SettingsPanelApp.razor.cs	
@@ -6,6 +6,12 @@ namespace AIStudio.Components.Settings;
 
 public partial class SettingsPanelApp : SettingsPanelBase
 {
+    private async Task GenerateEncryptionSecret()
+    {
+        var secret = EnterpriseEncryption.GenerateSecret();
+        await this.RustService.CopyText2Clipboard(this.Snackbar, secret);
+    }
+
     private IEnumerable<ConfigurationSelectData<string>> GetFilteredTranscriptionProviders()
     {
         yield return new(T("Disable dictation and transcription"), string.Empty);
diff --git a/app/MindWork AI Studio/wwwroot/changelog/v26.2.2.md b/app/MindWork AI Studio/wwwroot/changelog/v26.2.2.md
index b0e6f18f..977f7da9 100644
--- a/app/MindWork AI Studio/wwwroot/changelog/v26.2.2.md	
+++ b/app/MindWork AI Studio/wwwroot/changelog/v26.2.2.md	
@@ -2,4 +2,5 @@
 - Added a vector database (Qdrant) as a building block for our local RAG (retrieval-augmented generation) solution. Thank you very much, Paul (`PaulKoudelka`), for this major contribution. Note that our local RAG implementation remained in preview and has not yet been released; other building blocks are not yet ready.
 - Added an app setting to enable administration options for IT staff to configure and maintain organization-wide settings.
 - Added an option to export all provider types (LLMs, embeddings, transcriptions) so you can use them in a configuration plugin. You'll be asked if you want to export the related API key too. API keys will be encrypted in the export. This feature only shows up when administration options are enabled.
+- Added an option in the app settings to create an encryption secret, which is required to encrypt values (for example, API keys) in configuration plugins. This feature only shows up when administration options are enabled.
 - Improved the document analysis assistant (in beta) by hiding the export functionality by default. Enable the administration options in the app settings to show and use the export functionality. This streamlines the usage for regular users.
\ No newline at end of file
diff --git a/documentation/Enterprise IT.md b/documentation/Enterprise IT.md
index 57eaea8b..39d4fbd2 100644
--- a/documentation/Enterprise IT.md	
+++ b/documentation/Enterprise IT.md	
@@ -104,27 +104,20 @@ You can include encrypted API keys in your configuration plugins for cloud provi
 ### Setting Up Encrypted API Keys
 
 1. **Generate an encryption secret:**
-   You need a 32-byte (256-bit) secret key encoded in base64. You can generate one using:
-   ```powershell
-   # PowerShell (Windows)
-   $bytes = [System.Security.Cryptography.RandomNumberGenerator]::GetBytes(32)
-   [Convert]::ToBase64String($bytes)
-   ```
-   ```bash
-   # Linux/macOS
-   openssl rand -base64 32
-   ```
+   In AI Studio, enable the "Show administration settings" toggle in the app settings. Then click the "Generate encryption secret and copy to clipboard" button in the "Enterprise Administration" section. This generates a cryptographically secure 256-bit key and copies it to your clipboard as a base64 string.
 
 2. **Deploy the encryption secret:**
-   Distribute the secret via Group Policy (Windows Registry) or environment variables:
+   Distribute the secret to all client machines via Group Policy (Windows Registry) or environment variables:
    - Registry: `HKEY_CURRENT_USER\Software\github\MindWork AI Studio\Enterprise IT\config_encryption_secret`
    - Environment: `MINDWORK_AI_STUDIO_ENTERPRISE_CONFIG_ENCRYPTION_SECRET`
 
+   You must also deploy the same secret on the machine where you will export the encrypted API keys (step 3).
+
 3. **Export encrypted API keys from AI Studio:**
-   The easiest way to get encrypted API keys is to use the export function:
+   Once the encryption secret is deployed on your machine:
    - Configure a provider with an API key in AI Studio's settings
    - Click the export button for that provider
-   - If an API key is configured, you'll be asked if you want to include it
+   - If an API key is configured, you will be asked if you want to include the encrypted API key in the export
    - The exported Lua code will contain the encrypted API key in the format `ENC:v1:<base64-encoded data>`
 
 4. **Add encrypted keys to your configuration:**