diff --git a/packages/plugins/@nocobase/plugin-environment-variables/src/server/AesEncryptor.tsx b/packages/core/server/src/aes-encryptor.tsx
similarity index 72%
rename from packages/plugins/@nocobase/plugin-environment-variables/src/server/AesEncryptor.tsx
rename to packages/core/server/src/aes-encryptor.tsx
index f255a1434f..2095f67494 100644
--- a/packages/plugins/@nocobase/plugin-environment-variables/src/server/AesEncryptor.tsx
+++ b/packages/core/server/src/aes-encryptor.tsx
@@ -8,10 +8,11 @@
  */
 
 import crypto from 'crypto';
-import fs from 'fs/promises';
+import fs from 'fs-extra';
 import path from 'path';
+import Application from './application';
 
-class AesEncryptor {
+export class AesEncryptor {
   private key: Buffer;
 
   constructor(key: Buffer) {
@@ -71,6 +72,29 @@ class AesEncryptor {
       }
     }
   }
+
+  static async getKeyPath(appName: string) {
+    const appKeyPath = path.resolve(process.cwd(), 'storage', 'apps', appName, 'aes_key.dat');
+    const appKeyExists = await fs.exists(appKeyPath);
+    if (appKeyExists) {
+      return appKeyPath;
+    }
+    const envKeyPath = path.resolve(process.cwd(), 'storage', 'environment-variables', appName, 'aes_key.dat');
+    const envKeyExists = await fs.exists(envKeyPath);
+    if (envKeyExists) {
+      return envKeyPath;
+    }
+    return appKeyPath;
+  }
+
+  static async create(app: Application) {
+    let key: any = process.env.APP_AES_SECRET_KEY;
+    if (!key) {
+      const keyPath = await this.getKeyPath(app.name);
+      key = await AesEncryptor.getOrGenerateKey(keyPath);
+    }
+    return new AesEncryptor(key);
+  }
 }
 
 export default AesEncryptor;
diff --git a/packages/core/server/src/application.ts b/packages/core/server/src/application.ts
index 91762f8a5a..09b520f3d3 100644
--- a/packages/core/server/src/application.ts
+++ b/packages/core/server/src/application.ts
@@ -73,10 +73,11 @@ import { createPubSubManager, PubSubManager, PubSubManagerOptions } from './pub-
 import { SyncMessageManager } from './sync-message-manager';
 
 import packageJson from '../package.json';
-import { ServiceContainer } from './service-container';
 import { availableActions } from './acl/available-action';
+import AesEncryptor from './aes-encryptor';
 import { AuditManager } from './audit-manager';
 import { Environment } from './environment';
+import { ServiceContainer } from './service-container';
 
 export type PluginType = string | typeof Plugin;
 export type PluginConfiguration = PluginType | [PluginType, any];
@@ -437,6 +438,12 @@ export class Application<StateT = DefaultState, ContextT = DefaultContext> exten
     return this._dataSourceManager;
   }
 
+  protected _aesEncryptor: AesEncryptor;
+
+  get aesEncryptor() {
+    return this._aesEncryptor;
+  }
+
   /**
    * @internal
    */
@@ -623,6 +630,8 @@ export class Application<StateT = DefaultState, ContextT = DefaultContext> exten
       }
     }
 
+    this._aesEncryptor = await AesEncryptor.create(this);
+
     if (this.cacheManager) {
       await this.cacheManager.close();
     }
diff --git a/packages/core/server/src/index.ts b/packages/core/server/src/index.ts
index 806e3e26ad..6ef95601ab 100644
--- a/packages/core/server/src/index.ts
+++ b/packages/core/server/src/index.ts
@@ -7,15 +7,16 @@
  * For more information, please refer to: https://www.nocobase.com/agreement.
  */
 
+export * from './aes-encryptor';
 export * from './app-supervisor';
 export * from './application';
 export { Application as default } from './application';
+export * from './audit-manager';
 export * from './gateway';
 export * as middlewares from './middlewares';
 export * from './migration';
 export * from './plugin';
 export * from './plugin-manager';
-export * from './audit-manager';
 export * from './pub-sub-manager';
 export const OFFICIAL_PLUGIN_PREFIX = '@nocobase/plugin-';
 
diff --git a/packages/plugins/@nocobase/plugin-environment-variables/src/server/plugin.ts b/packages/plugins/@nocobase/plugin-environment-variables/src/server/plugin.ts
index 8dfc9afe68..070d008ad6 100644
--- a/packages/plugins/@nocobase/plugin-environment-variables/src/server/plugin.ts
+++ b/packages/plugins/@nocobase/plugin-environment-variables/src/server/plugin.ts
@@ -8,12 +8,14 @@
  */
 
 import { Plugin } from '@nocobase/server';
-import path from 'path';
-import AesEncryptor from './AesEncryptor';
 
 export class PluginEnvironmentVariablesServer extends Plugin {
-  aesEncryptor: AesEncryptor;
   updated = false;
+
+  get aesEncryptor() {
+    return this.app.aesEncryptor;
+  }
+
   async handleSyncMessage(message) {
     const { type, name, value } = message;
     if (type === 'updated') {
@@ -27,22 +29,11 @@ export class PluginEnvironmentVariablesServer extends Plugin {
   }
 
   async load() {
-    this.createAesEncryptor();
     this.registerACL();
     this.onEnvironmentSaved();
     await this.loadVariables();
   }
 
-  async createAesEncryptor() {
-    let key: any = process.env.ENV_VARS_AES_SECRET_KEY;
-    if (!key) {
-      key = await AesEncryptor.getOrGenerateKey(
-        path.resolve(process.cwd(), 'storage', this.name, this.app.name, 'aes_key.dat'),
-      );
-    }
-    this.aesEncryptor = new AesEncryptor(key);
-  }
-
   registerACL() {
     this.app.acl.allow('environmentVariables', 'list', 'loggedIn');
     this.app.acl.registerSnippet({