diff --git a/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs b/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
index b944cdd05289..79e91c960362 100644
--- a/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
+++ b/src/Api/KeyManagement/Controllers/AccountsKeyManagementController.cs
@@ -13,6 +13,7 @@
 using Bit.Core.Entities;
 using Bit.Core.Exceptions;
 using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.KeyManagement.Models.Api.Request;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.Queries.Interfaces;
 using Bit.Core.KeyManagement.UserKey;
@@ -47,6 +48,7 @@ private readonly IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestMod
         _webauthnKeyValidator;
     private readonly IRotationValidator<IEnumerable<OtherDeviceKeysUpdateRequestModel>, IEnumerable<Device>> _deviceValidator;
     private readonly IKeyConnectorConfirmationDetailsQuery _keyConnectorConfirmationDetailsQuery;
+    private readonly ISetKeyConnectorKeyCommand _setKeyConnectorKeyCommand;
 
     public AccountsKeyManagementController(IUserService userService,
         IFeatureService featureService,
@@ -62,8 +64,10 @@ public AccountsKeyManagementController(IUserService userService,
             emergencyAccessValidator,
         IRotationValidator<IEnumerable<ResetPasswordWithOrgIdRequestModel>, IReadOnlyList<OrganizationUser>>
             organizationUserValidator,
-        IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>> webAuthnKeyValidator,
-        IRotationValidator<IEnumerable<OtherDeviceKeysUpdateRequestModel>, IEnumerable<Device>> deviceValidator)
+        IRotationValidator<IEnumerable<WebAuthnLoginRotateKeyRequestModel>, IEnumerable<WebAuthnLoginRotateKeyData>>
+            webAuthnKeyValidator,
+        IRotationValidator<IEnumerable<OtherDeviceKeysUpdateRequestModel>, IEnumerable<Device>> deviceValidator,
+        ISetKeyConnectorKeyCommand setKeyConnectorKeyCommand)
     {
         _userService = userService;
         _featureService = featureService;
@@ -79,6 +83,7 @@ public AccountsKeyManagementController(IUserService userService,
         _webauthnKeyValidator = webAuthnKeyValidator;
         _deviceValidator = deviceValidator;
         _keyConnectorConfirmationDetailsQuery = keyConnectorConfirmationDetailsQuery;
+        _setKeyConnectorKeyCommand = setKeyConnectorKeyCommand;
     }
 
     [HttpPost("key-management/regenerate-keys")]
@@ -146,18 +151,28 @@ public async Task PostSetKeyConnectorKeyAsync([FromBody] SetKeyConnectorKeyReque
             throw new UnauthorizedAccessException();
         }
 
-        var result = await _userService.SetKeyConnectorKeyAsync(model.ToUser(user), model.Key, model.OrgIdentifier);
-        if (result.Succeeded)
+        if (model.IsV2Request())
         {
-            return;
+            // V2 account registration
+            await _setKeyConnectorKeyCommand.SetKeyConnectorKeyForUserAsync(user, model);
         }
-
-        foreach (var error in result.Errors)
+        else
         {
-            ModelState.AddModelError(string.Empty, error.Description);
+            // V1 account registration
+            // TODO removed with https://bitwarden.atlassian.net/browse/PM-27328
+            var result = await _userService.SetKeyConnectorKeyAsync(model.ToUser(user), model.Key, model.OrgIdentifier);
+            if (result.Succeeded)
+            {
+                return;
+            }
+
+            foreach (var error in result.Errors)
+            {
+                ModelState.AddModelError(string.Empty, error.Description);
+            }
+
+            throw new BadRequestException(ModelState);
         }
-
-        throw new BadRequestException(ModelState);
     }
 
     [HttpPost("convert-to-key-connector")]
diff --git a/src/Api/KeyManagement/Models/Requests/SetKeyConnectorKeyRequestModel.cs b/src/Api/KeyManagement/Models/Requests/SetKeyConnectorKeyRequestModel.cs
deleted file mode 100644
index 9f52a97383b8..000000000000
--- a/src/Api/KeyManagement/Models/Requests/SetKeyConnectorKeyRequestModel.cs
+++ /dev/null
@@ -1,36 +0,0 @@
-// FIXME: Update this file to be null safe and then delete the line below
-#nullable disable
-
-using System.ComponentModel.DataAnnotations;
-using Bit.Core.Auth.Models.Api.Request.Accounts;
-using Bit.Core.Entities;
-using Bit.Core.Enums;
-
-namespace Bit.Api.KeyManagement.Models.Requests;
-
-public class SetKeyConnectorKeyRequestModel
-{
-    [Required]
-    public string Key { get; set; }
-    [Required]
-    public KeysRequestModel Keys { get; set; }
-    [Required]
-    public KdfType Kdf { get; set; }
-    [Required]
-    public int KdfIterations { get; set; }
-    public int? KdfMemory { get; set; }
-    public int? KdfParallelism { get; set; }
-    [Required]
-    public string OrgIdentifier { get; set; }
-
-    public User ToUser(User existingUser)
-    {
-        existingUser.Kdf = Kdf;
-        existingUser.KdfIterations = KdfIterations;
-        existingUser.KdfMemory = KdfMemory;
-        existingUser.KdfParallelism = KdfParallelism;
-        existingUser.Key = Key;
-        Keys.ToUser(existingUser);
-        return existingUser;
-    }
-}
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index 3710cb4a235a..a790e9a59da3 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -213,6 +213,7 @@ public static class FeatureFlagKeys
     public const string DisableType0Decryption = "pm-25174-disable-type-0-decryption";
     public const string ConsolidatedSessionTimeoutComponent = "pm-26056-consolidated-session-timeout-component";
     public const string DataRecoveryTool = "pm-28813-data-recovery-tool";
+    public const string EnableAccountEncryptionV2KeyConnectorRegistration = "enable-account-encryption-v2-key-connector-registration";
 
     /* Mobile Team */
     public const string AndroidImportLoginsFlow = "import-logins-flow";
diff --git a/src/Core/KeyManagement/Commands/Interfaces/ISetKeyConnectorKeyCommand.cs b/src/Core/KeyManagement/Commands/Interfaces/ISetKeyConnectorKeyCommand.cs
new file mode 100644
index 000000000000..16a2efb7b2ed
--- /dev/null
+++ b/src/Core/KeyManagement/Commands/Interfaces/ISetKeyConnectorKeyCommand.cs
@@ -0,0 +1,13 @@
+using Bit.Core.Entities;
+using Bit.Core.KeyManagement.Models.Api.Request;
+
+namespace Bit.Core.KeyManagement.Commands.Interfaces;
+
+/// <summary>
+/// Creates the user key and account cryptographic state for a new user registering
+/// with Key Connector SSO configuration.
+/// </summary>
+public interface ISetKeyConnectorKeyCommand
+{
+    Task SetKeyConnectorKeyForUserAsync(User user, SetKeyConnectorKeyRequestModel requestModel);
+}
diff --git a/src/Core/KeyManagement/Commands/SetKeyConnectorKeyCommand.cs b/src/Core/KeyManagement/Commands/SetKeyConnectorKeyCommand.cs
new file mode 100644
index 000000000000..fab6a9faa0ff
--- /dev/null
+++ b/src/Core/KeyManagement/Commands/SetKeyConnectorKeyCommand.cs
@@ -0,0 +1,55 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Commands.Interfaces;
+using Bit.Core.KeyManagement.Models.Api.Request;
+using Bit.Core.KeyManagement.Queries.Interfaces;
+using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+
+namespace Bit.Core.KeyManagement.Commands;
+
+public class SetKeyConnectorKeyCommand : ISetKeyConnectorKeyCommand
+{
+    private readonly ICanUseKeyConnectorQuery _canUseKeyConnectorQuery;
+    private readonly IEventService _eventService;
+    private readonly IAcceptOrgUserCommand _acceptOrgUserCommand;
+    private readonly IUserService _userService;
+    private readonly IUserRepository _userRepository;
+
+    public SetKeyConnectorKeyCommand(
+        ICanUseKeyConnectorQuery canUseKeyConnectorQuery,
+        IEventService eventService,
+        IAcceptOrgUserCommand acceptOrgUserCommand,
+        IUserService userService,
+        IUserRepository userRepository)
+    {
+        _canUseKeyConnectorQuery = canUseKeyConnectorQuery;
+        _eventService = eventService;
+        _acceptOrgUserCommand = acceptOrgUserCommand;
+        _userService = userService;
+        _userRepository = userRepository;
+    }
+
+    public async Task SetKeyConnectorKeyForUserAsync(User user, SetKeyConnectorKeyRequestModel requestModel)
+    {
+        // TODO remove validation with https://bitwarden.atlassian.net/browse/PM-27328
+        if (string.IsNullOrEmpty(requestModel.KeyConnectorKeyWrappedUserKey) || requestModel.AccountKeys == null)
+        {
+            throw new BadRequestException("KeyConnectorKeyWrappedUserKey and AccountKeys must be provided");
+        }
+
+        _canUseKeyConnectorQuery.VerifyCanUseKeyConnector(user);
+
+        var setKeyConnectorUserKeyTask =
+            _userRepository.SetKeyConnectorUserKey(user.Id, requestModel.KeyConnectorKeyWrappedUserKey);
+
+        await _userRepository.SetV2AccountCryptographicStateAsync(user.Id, requestModel.AccountKeys.ToAccountKeysData(),
+            [setKeyConnectorUserKeyTask]);
+
+        await _eventService.LogUserEventAsync(user.Id, EventType.User_MigratedKeyToKeyConnector);
+
+        await _acceptOrgUserCommand.AcceptOrgUserByOrgSsoIdAsync(requestModel.OrgIdentifier, user, _userService);
+    }
+}
diff --git a/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs b/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs
index abaf9406bae4..77adf6a99b9a 100644
--- a/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs
+++ b/src/Core/KeyManagement/KeyManagementServiceCollectionExtensions.cs
@@ -21,11 +21,13 @@ private static void AddKeyManagementCommands(this IServiceCollection services)
     {
         services.AddScoped<IRegenerateUserAsymmetricKeysCommand, RegenerateUserAsymmetricKeysCommand>();
         services.AddScoped<IChangeKdfCommand, ChangeKdfCommand>();
+        services.AddScoped<ISetKeyConnectorKeyCommand, SetKeyConnectorKeyCommand>();
     }
 
     private static void AddKeyManagementQueries(this IServiceCollection services)
     {
         services.AddScoped<IUserAccountKeysQuery, UserAccountKeysQuery>();
         services.AddScoped<IKeyConnectorConfirmationDetailsQuery, KeyConnectorConfirmationDetailsQuery>();
+        services.AddScoped<ICanUseKeyConnectorQuery, CanUseKeyConnectorQuery>();
     }
 }
diff --git a/src/Core/KeyManagement/Models/Api/Request/SetKeyConnectorKeyRequestModel.cs b/src/Core/KeyManagement/Models/Api/Request/SetKeyConnectorKeyRequestModel.cs
new file mode 100644
index 000000000000..0ba76f819092
--- /dev/null
+++ b/src/Core/KeyManagement/Models/Api/Request/SetKeyConnectorKeyRequestModel.cs
@@ -0,0 +1,93 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Auth.Models.Api.Request.Accounts;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Utilities;
+
+namespace Bit.Core.KeyManagement.Models.Api.Request;
+
+public class SetKeyConnectorKeyRequestModel : IValidatableObject
+{
+    // TODO will be removed with https://bitwarden.atlassian.net/browse/PM-27328
+    [Obsolete("Use KeyConnectorKeyWrappedUserKey instead")]
+    public string? Key { get; set; }
+
+    [Obsolete("Use AccountKeys instead")]
+    public KeysRequestModel? Keys { get; set; }
+    [Obsolete("Not used anymore")]
+    public KdfType? Kdf { get; set; }
+    [Obsolete("Not used anymore")]
+    public int? KdfIterations { get; set; }
+    [Obsolete("Not used anymore")]
+    public int? KdfMemory { get; set; }
+    [Obsolete("Not used anymore")]
+    public int? KdfParallelism { get; set; }
+
+    [EncryptedString]
+    public string? KeyConnectorKeyWrappedUserKey { get; set; }
+    public AccountKeysRequestModel? AccountKeys { get; set; }
+
+    [Required]
+    public required string OrgIdentifier { get; init; }
+
+    public IEnumerable<ValidationResult> Validate(ValidationContext validationContext)
+    {
+        if (IsV2Request())
+        {
+            // V2 registration
+            yield break;
+        }
+
+        // V1 registration
+        // TODO removed with https://bitwarden.atlassian.net/browse/PM-27328
+        if (string.IsNullOrEmpty(Key))
+        {
+            yield return new ValidationResult("Key must be supplied.");
+        }
+
+        if (Keys == null)
+        {
+            yield return new ValidationResult("Keys must be supplied.");
+        }
+
+        if (Kdf == null)
+        {
+            yield return new ValidationResult("Kdf must be supplied.");
+        }
+
+        if (KdfIterations == null)
+        {
+            yield return new ValidationResult("KdfIterations must be supplied.");
+        }
+
+        if (Kdf == KdfType.Argon2id)
+        {
+            if (KdfMemory == null)
+            {
+                yield return new ValidationResult("KdfMemory must be supplied when Kdf is Argon2id.");
+            }
+
+            if (KdfParallelism == null)
+            {
+                yield return new ValidationResult("KdfParallelism must be supplied when Kdf is Argon2id.");
+            }
+        }
+    }
+
+    public bool IsV2Request()
+    {
+        return !string.IsNullOrEmpty(KeyConnectorKeyWrappedUserKey) && AccountKeys != null;
+    }
+
+    // TODO removed with https://bitwarden.atlassian.net/browse/PM-27328
+    public User ToUser(User existingUser)
+    {
+        existingUser.Kdf = Kdf!.Value;
+        existingUser.KdfIterations = KdfIterations!.Value;
+        existingUser.KdfMemory = KdfMemory;
+        existingUser.KdfParallelism = KdfParallelism;
+        existingUser.Key = Key;
+        Keys!.ToUser(existingUser);
+        return existingUser;
+    }
+}
diff --git a/src/Core/KeyManagement/Queries/CanUseKeyConnectorQuery.cs b/src/Core/KeyManagement/Queries/CanUseKeyConnectorQuery.cs
new file mode 100644
index 000000000000..c0e0e920b2e4
--- /dev/null
+++ b/src/Core/KeyManagement/Queries/CanUseKeyConnectorQuery.cs
@@ -0,0 +1,31 @@
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Queries.Interfaces;
+
+namespace Bit.Core.KeyManagement.Queries;
+
+public class CanUseKeyConnectorQuery : ICanUseKeyConnectorQuery
+{
+    private readonly ICurrentContext _currentContext;
+
+    public CanUseKeyConnectorQuery(ICurrentContext currentContext)
+    {
+        _currentContext = currentContext;
+    }
+
+    public void VerifyCanUseKeyConnector(User user)
+    {
+        if (user.UsesKeyConnector)
+        {
+            throw new BadRequestException("Already uses Key Connector.");
+        }
+
+        if (_currentContext.Organizations.Any(u =>
+                u.Type is OrganizationUserType.Owner or OrganizationUserType.Admin))
+        {
+            throw new BadRequestException("Cannot use Key Connector when admin or owner of an organization.");
+        }
+    }
+}
diff --git a/src/Core/KeyManagement/Queries/Interfaces/ICanUseKeyConnectorQuery.cs b/src/Core/KeyManagement/Queries/Interfaces/ICanUseKeyConnectorQuery.cs
new file mode 100644
index 000000000000..1da088f69d50
--- /dev/null
+++ b/src/Core/KeyManagement/Queries/Interfaces/ICanUseKeyConnectorQuery.cs
@@ -0,0 +1,15 @@
+using Bit.Core.Entities;
+
+namespace Bit.Core.KeyManagement.Queries.Interfaces;
+
+/// <summary>
+/// Query to verify if the user can use the key connector
+/// </summary>
+public interface ICanUseKeyConnectorQuery
+{
+    /// <summary>
+    /// Throws an exception if the user cannot use the key connector
+    /// </summary>
+    /// <param name="user">User to validate</param>
+    void VerifyCanUseKeyConnector(User user);
+}
diff --git a/src/Core/Repositories/IUserRepository.cs b/src/Core/Repositories/IUserRepository.cs
index 7cdd15922478..71457cefd590 100644
--- a/src/Core/Repositories/IUserRepository.cs
+++ b/src/Core/Repositories/IUserRepository.cs
@@ -55,6 +55,8 @@ Task SetV2AccountCryptographicStateAsync(
         UserAccountKeysData accountKeysData,
         IEnumerable<UpdateUserData>? updateUserDataActions = null);
     Task DeleteManyAsync(IEnumerable<User> users);
+
+    UpdateUserData SetKeyConnectorUserKey(Guid userId, string keyConnectorWrappedUserKey);
 }
 
 public delegate Task UpdateUserData(Microsoft.Data.SqlClient.SqlConnection? connection = null,
diff --git a/src/Core/Services/IUserService.cs b/src/Core/Services/IUserService.cs
index 0506e08cfca9..0680d8cec4f5 100644
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@@ -33,6 +33,8 @@ public interface IUserService
     Task<IdentityResult> ChangeEmailAsync(User user, string masterPassword, string newEmail, string newMasterPassword,
         string token, string key);
     Task<IdentityResult> ChangePasswordAsync(User user, string masterPassword, string newMasterPassword, string passwordHint, string key);
+    // TODO removed with https://bitwarden.atlassian.net/browse/PM-27328
+    [Obsolete("Use ISetKeyConnectorKeyCommand instead. This method will be removed in a future version.")]
     Task<IdentityResult> SetKeyConnectorKeyAsync(User user, string key, string orgIdentifier);
     Task<IdentityResult> ConvertToKeyConnectorAsync(User user);
     Task<IdentityResult> AdminResetPasswordAsync(OrganizationUserType type, Guid orgId, Guid id, string newMasterPassword, string key);
diff --git a/src/Core/Services/Implementations/UserService.cs b/src/Core/Services/Implementations/UserService.cs
index 2d2a9f0ae7b6..8b61e86b0d62 100644
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@@ -617,6 +617,7 @@ public async Task<IdentityResult> ChangePasswordAsync(User user, string masterPa
         return IdentityResult.Failed(_identityErrorDescriber.PasswordMismatch());
     }
 
+    // TODO removed with https://bitwarden.atlassian.net/browse/PM-27328
     public async Task<IdentityResult> SetKeyConnectorKeyAsync(User user, string key, string orgIdentifier)
     {
         var identityResult = CheckCanUseKeyConnector(user);
diff --git a/src/Infrastructure.Dapper/Repositories/UserRepository.cs b/src/Infrastructure.Dapper/Repositories/UserRepository.cs
index 86ab063a5f9a..9446c80015d7 100644
--- a/src/Infrastructure.Dapper/Repositories/UserRepository.cs
+++ b/src/Infrastructure.Dapper/Repositories/UserRepository.cs
@@ -2,6 +2,7 @@
 using System.Text.Json;
 using Bit.Core;
 using Bit.Core.Entities;
+using Bit.Core.Enums;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Models.Data;
@@ -381,6 +382,32 @@ public async Task<IEnumerable<UserWithCalculatedPremium>> GetManyWithCalculatedP
         return result.SingleOrDefault();
     }
 
+    public UpdateUserData SetKeyConnectorUserKey(Guid userId, string keyConnectorWrappedUserKey)
+    {
+        return async (connection, transaction) =>
+        {
+            var timestamp = DateTime.UtcNow;
+
+            await connection!.ExecuteAsync(
+                "[dbo].[User_UpdateKeyConnectorUserKey]",
+                new
+                {
+                    Id = userId,
+                    Key = keyConnectorWrappedUserKey,
+                    // Key Connector does not use KDF, so we set some defaults
+                    Kdf = KdfType.Argon2id,
+                    KdfIterations = AuthConstants.ARGON2_ITERATIONS.Default,
+                    KdfMemory = AuthConstants.ARGON2_MEMORY.Default,
+                    KdfParallelism = AuthConstants.ARGON2_PARALLELISM.Default,
+                    UsesKeyConnector = true,
+                    RevisionDate = timestamp,
+                    AccountRevisionDate = timestamp
+                },
+                transaction: transaction,
+                commandType: CommandType.StoredProcedure);
+        };
+    }
+
     private async Task ProtectDataAndSaveAsync(User user, Func<Task> saveTask)
     {
         if (user == null)
diff --git a/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs b/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
index a43c692be39d..40b8fe6a98c1 100644
--- a/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
+++ b/src/Infrastructure.EntityFramework/Repositories/UserRepository.cs
@@ -1,4 +1,6 @@
 using AutoMapper;
+using Bit.Core;
+using Bit.Core.Enums;
 using Bit.Core.KeyManagement.Models.Data;
 using Bit.Core.KeyManagement.UserKey;
 using Bit.Core.Models.Data;
@@ -448,6 +450,35 @@ await dbContext.GroupUsers
         }
     }
 
+    public UpdateUserData SetKeyConnectorUserKey(Guid userId, string keyConnectorWrappedUserKey)
+    {
+        return async (_, _) =>
+        {
+            using var scope = ServiceScopeFactory.CreateScope();
+            var dbContext = GetDatabaseContext(scope);
+
+            var userEntity = await dbContext.Users.FindAsync(userId);
+            if (userEntity == null)
+            {
+                throw new ArgumentException("User not found", nameof(userId));
+            }
+
+            var timestamp = DateTime.UtcNow;
+
+            userEntity.Key = keyConnectorWrappedUserKey;
+            // Key Connector does not use KDF, so we set some defaults
+            userEntity.Kdf = KdfType.Argon2id;
+            userEntity.KdfIterations = AuthConstants.ARGON2_ITERATIONS.Default;
+            userEntity.KdfMemory = AuthConstants.ARGON2_MEMORY.Default;
+            userEntity.KdfParallelism = AuthConstants.ARGON2_PARALLELISM.Default;
+            userEntity.UsesKeyConnector = true;
+            userEntity.RevisionDate = timestamp;
+            userEntity.AccountRevisionDate = timestamp;
+
+            await dbContext.SaveChangesAsync();
+        };
+    }
+
     private static void MigrateDefaultUserCollectionsToShared(DatabaseContext dbContext, IEnumerable<Guid> userIds)
     {
         var defaultCollections = (from c in dbContext.Collections
diff --git a/src/Sql/dbo/KeyManagement/Stored Procedures/User_UpdateKeyConnectorUserKey.sql b/src/Sql/dbo/KeyManagement/Stored Procedures/User_UpdateKeyConnectorUserKey.sql
new file mode 100644
index 000000000000..39607f801a99
--- /dev/null
+++ b/src/Sql/dbo/KeyManagement/Stored Procedures/User_UpdateKeyConnectorUserKey.sql	
@@ -0,0 +1,28 @@
+CREATE PROCEDURE [dbo].[User_UpdateKeyConnectorUserKey]
+    @Id UNIQUEIDENTIFIER,
+    @Key NVARCHAR(MAX),
+    @Kdf TINYINT,
+    @KdfIterations INT,
+    @KdfMemory INT,
+    @KdfParallelism INT,
+    @UsesKeyConnector BIT,
+    @RevisionDate DATETIME2(7),
+    @AccountRevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+    UPDATE
+        [dbo].[User]
+    SET
+        [Key] = @Key,
+        [Kdf] = @Kdf,
+        [KdfIterations] = @KdfIterations,
+        [KdfMemory] = @KdfMemory,
+        [KdfParallelism] = @KdfParallelism,
+        [UsesKeyConnector] = @UsesKeyConnector,
+        [RevisionDate] = @RevisionDate,
+        [AccountRevisionDate] = @AccountRevisionDate
+    WHERE
+        [Id] = @Id
+END
diff --git a/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs b/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
index 1c456df10635..eddffb6b364f 100644
--- a/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
+++ b/test/Api.IntegrationTest/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
@@ -7,6 +7,7 @@
 using Bit.Api.Tools.Models.Request;
 using Bit.Api.Vault.Models;
 using Bit.Api.Vault.Models.Request;
+using Bit.Core;
 using Bit.Core.AdminConsole.Entities;
 using Bit.Core.Auth.Entities;
 using Bit.Core.Auth.Enums;
@@ -19,9 +20,11 @@
 using Bit.Core.KeyManagement.Models.Api.Request;
 using Bit.Core.KeyManagement.Repositories;
 using Bit.Core.Repositories;
+using Bit.Core.Services;
 using Bit.Core.Vault.Enums;
 using Bit.Test.Common.AutoFixture.Attributes;
 using Microsoft.AspNetCore.Identity;
+using NSubstitute;
 using Xunit;
 
 namespace Bit.Api.IntegrationTest.KeyManagement.Controllers;
@@ -31,6 +34,7 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
     private static readonly string _mockEncryptedString =
         "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk=";
     private static readonly string _mockEncryptedType7String = "7.AOs41Hd8OQiCPXjyJKCiDA==";
+    private static readonly string _mockEncryptedType7WrappedSigningKey = "7.DRv74Kg1RSlFSam1MNFlGD==";
 
     private readonly HttpClient _client;
     private readonly IEmergencyAccessRepository _emergencyAccessRepository;
@@ -47,8 +51,11 @@ public class AccountsKeyManagementControllerTests : IClassFixture<ApiApplication
     public AccountsKeyManagementControllerTests(ApiApplicationFactory factory)
     {
         _factory = factory;
-        _factory.UpdateConfiguration("globalSettings:launchDarkly:flagValues:pm-12241-private-key-regeneration",
-            "true");
+        _factory.SubstituteService<IFeatureService>(featureService =>
+        {
+            featureService.IsEnabled(FeatureFlagKeys.PrivateKeyRegeneration, Arg.Any<bool>())
+                .Returns(true);
+        });
         _client = factory.CreateClient();
         _loginHelper = new LoginHelper(_factory, _client);
         _userRepository = _factory.GetService<IUserRepository>();
@@ -78,8 +85,11 @@ public async Task RegenerateKeysAsync_FeatureFlagTurnedOff_NotFound(KeyRegenerat
     {
         // Localize factory to inject a false value for the feature flag.
         var localFactory = new ApiApplicationFactory();
-        localFactory.UpdateConfiguration("globalSettings:launchDarkly:flagValues:pm-12241-private-key-regeneration",
-            "false");
+        localFactory.SubstituteService<IFeatureService>(featureService =>
+        {
+            featureService.IsEnabled(FeatureFlagKeys.PrivateKeyRegeneration, Arg.Any<bool>())
+                .Returns(false);
+        });
         var localClient = localFactory.CreateClient();
         var localEmail = $"integration-test{Guid.NewGuid()}@bitwarden.com";
         var localLoginHelper = new LoginHelper(localFactory, localClient);
@@ -285,21 +295,21 @@ public async Task PostSetKeyConnectorKeyAsync_NotLoggedIn_Unauthorized(SetKeyCon
 
     [Theory]
     [BitAutoData]
-    public async Task PostSetKeyConnectorKeyAsync_Success(string organizationSsoIdentifier,
-        SetKeyConnectorKeyRequestModel request)
+    public async Task PostSetKeyConnectorKeyAsync_Success(string organizationSsoIdentifier)
     {
         var (ssoUserEmail, organization) = await SetupKeyConnectorTestAsync(OrganizationUserStatusType.Invited, organizationSsoIdentifier);
 
         var ssoUser = await _userRepository.GetByEmailAsync(ssoUserEmail);
         Assert.NotNull(ssoUser);
 
-        request.Keys = new KeysRequestModel
+        var request = new SetKeyConnectorKeyRequestModel
         {
-            PublicKey = ssoUser.PublicKey,
-            EncryptedPrivateKey = ssoUser.PrivateKey
+            Key = _mockEncryptedString,
+            Keys = new KeysRequestModel { PublicKey = ssoUser.PublicKey, EncryptedPrivateKey = ssoUser.PrivateKey },
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
+            OrgIdentifier = organizationSsoIdentifier
         };
-        request.Key = _mockEncryptedString;
-        request.OrgIdentifier = organizationSsoIdentifier;
 
         var response = await _client.PostAsJsonAsync("/accounts/set-key-connector-key", request);
         response.EnsureSuccessStatusCode();
@@ -310,12 +320,95 @@ public async Task PostSetKeyConnectorKeyAsync_Success(string organizationSsoIden
         Assert.True(user.UsesKeyConnector);
         Assert.Equal(DateTime.UtcNow, user.RevisionDate, TimeSpan.FromMinutes(1));
         Assert.Equal(DateTime.UtcNow, user.AccountRevisionDate, TimeSpan.FromMinutes(1));
+        var ssoOrganizationUser = await _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id);
+        Assert.NotNull(ssoOrganizationUser);
+        Assert.Equal(OrganizationUserStatusType.Accepted, ssoOrganizationUser.Status);
+        Assert.Equal(user.Id, ssoOrganizationUser.UserId);
+        Assert.Null(ssoOrganizationUser.Email);
+    }
+
+    [Fact]
+    public async Task PostSetKeyConnectorKeyAsync_V2_NotLoggedIn_Unauthorized()
+    {
+        var request = new SetKeyConnectorKeyRequestModel
+        {
+            KeyConnectorKeyWrappedUserKey = _mockEncryptedString,
+            AccountKeys = new AccountKeysRequestModel
+            {
+                AccountPublicKey = "publicKey",
+                UserKeyEncryptedAccountPrivateKey = _mockEncryptedType7String
+            },
+            OrgIdentifier = "test-org"
+        };
+
+        var response = await _client.PostAsJsonAsync("/accounts/set-key-connector-key", request);
+
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PostSetKeyConnectorKeyAsync_V2_Success(string organizationSsoIdentifier)
+    {
+        var (ssoUserEmail, organization) = await SetupKeyConnectorTestAsync(OrganizationUserStatusType.Invited, organizationSsoIdentifier);
+
+        var request = new SetKeyConnectorKeyRequestModel
+        {
+            KeyConnectorKeyWrappedUserKey = _mockEncryptedString,
+            AccountKeys = new AccountKeysRequestModel
+            {
+                AccountPublicKey = "publicKey",
+                UserKeyEncryptedAccountPrivateKey = _mockEncryptedType7String,
+                PublicKeyEncryptionKeyPair = new PublicKeyEncryptionKeyPairRequestModel
+                {
+                    PublicKey = "publicKey",
+                    WrappedPrivateKey = _mockEncryptedType7String,
+                    SignedPublicKey = "signedPublicKey"
+                },
+                SignatureKeyPair = new SignatureKeyPairRequestModel
+                {
+                    SignatureAlgorithm = "ed25519",
+                    WrappedSigningKey = _mockEncryptedType7WrappedSigningKey,
+                    VerifyingKey = "verifyingKey"
+                },
+                SecurityState = new SecurityStateModel
+                {
+                    SecurityVersion = 2,
+                    SecurityState = "v2"
+                }
+            },
+            OrgIdentifier = organizationSsoIdentifier
+        };
+
+        var response = await _client.PostAsJsonAsync("/accounts/set-key-connector-key", request);
+        response.EnsureSuccessStatusCode();
+
+        var user = await _userRepository.GetByEmailAsync(ssoUserEmail);
+        Assert.NotNull(user);
+        Assert.Equal(request.KeyConnectorKeyWrappedUserKey, user.Key);
+        Assert.True(user.UsesKeyConnector);
+        Assert.Equal(KdfType.Argon2id, user.Kdf);
+        Assert.Equal(AuthConstants.ARGON2_ITERATIONS.Default, user.KdfIterations);
+        Assert.Equal(AuthConstants.ARGON2_MEMORY.Default, user.KdfMemory);
+        Assert.Equal(AuthConstants.ARGON2_PARALLELISM.Default, user.KdfParallelism);
+        Assert.Equal(request.AccountKeys.PublicKeyEncryptionKeyPair!.SignedPublicKey, user.SignedPublicKey);
+        Assert.Equal(request.AccountKeys.SecurityState!.SecurityState, user.SecurityState);
+        Assert.Equal(request.AccountKeys.SecurityState.SecurityVersion, user.SecurityVersion);
+        Assert.Equal(DateTime.UtcNow, user.RevisionDate, TimeSpan.FromMinutes(1));
+        Assert.Equal(DateTime.UtcNow, user.AccountRevisionDate, TimeSpan.FromMinutes(1));
+
         var ssoOrganizationUser =
             await _organizationUserRepository.GetByOrganizationAsync(organization.Id, user.Id);
         Assert.NotNull(ssoOrganizationUser);
         Assert.Equal(OrganizationUserStatusType.Accepted, ssoOrganizationUser.Status);
         Assert.Equal(user.Id, ssoOrganizationUser.UserId);
         Assert.Null(ssoOrganizationUser.Email);
+
+        var signatureKeyPair = await _userSignatureKeyPairRepository.GetByUserIdAsync(user.Id);
+        Assert.NotNull(signatureKeyPair);
+        Assert.Equal(SignatureAlgorithm.Ed25519, signatureKeyPair.SignatureAlgorithm);
+        Assert.Equal(_mockEncryptedType7WrappedSigningKey, signatureKeyPair.WrappedSigningKey);
+        Assert.Equal("verifyingKey", signatureKeyPair.VerifyingKey);
     }
 
     [Fact]
diff --git a/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs b/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
index a1f3088f527b..0eccacd02fcf 100644
--- a/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
+++ b/test/Api.Test/KeyManagement/Controllers/AccountsKeyManagementControllerTests.cs
@@ -238,10 +238,13 @@ public async Task RotateUserKeyWrongData_Throws(SutProvider<AccountsKeyManagemen
 
     [Theory]
     [BitAutoData]
-    public async Task PostSetKeyConnectorKeyAsync_UserNull_Throws(
+    public async Task PostSetKeyConnectorKeyAsync_V1_UserNull_Throws(
         SutProvider<AccountsKeyManagementController> sutProvider,
         SetKeyConnectorKeyRequestModel data)
     {
+        data.KeyConnectorKeyWrappedUserKey = null;
+        data.AccountKeys = null;
+
         sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).ReturnsNull();
 
         await Assert.ThrowsAsync<UnauthorizedAccessException>(() => sutProvider.Sut.PostSetKeyConnectorKeyAsync(data));
@@ -252,10 +255,13 @@ await sutProvider.GetDependency<IUserService>().ReceivedWithAnyArgs(0)
 
     [Theory]
     [BitAutoData]
-    public async Task PostSetKeyConnectorKeyAsync_SetKeyConnectorKeyFails_ThrowsBadRequestWithErrorResponse(
+    public async Task PostSetKeyConnectorKeyAsync_V1_SetKeyConnectorKeyFails_ThrowsBadRequestWithErrorResponse(
         SutProvider<AccountsKeyManagementController> sutProvider,
         SetKeyConnectorKeyRequestModel data, User expectedUser)
     {
+        data.KeyConnectorKeyWrappedUserKey = null;
+        data.AccountKeys = null;
+
         expectedUser.PublicKey = null;
         expectedUser.PrivateKey = null;
         sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
@@ -278,17 +284,20 @@ await sutProvider.GetDependency<IUserService>().Received(1)
                 Assert.Equal(data.KdfIterations, user.KdfIterations);
                 Assert.Equal(data.KdfMemory, user.KdfMemory);
                 Assert.Equal(data.KdfParallelism, user.KdfParallelism);
-                Assert.Equal(data.Keys.PublicKey, user.PublicKey);
-                Assert.Equal(data.Keys.EncryptedPrivateKey, user.PrivateKey);
+                Assert.Equal(data.Keys!.PublicKey, user.PublicKey);
+                Assert.Equal(data.Keys!.EncryptedPrivateKey, user.PrivateKey);
             }), Arg.Is(data.Key), Arg.Is(data.OrgIdentifier));
     }
 
     [Theory]
     [BitAutoData]
-    public async Task PostSetKeyConnectorKeyAsync_SetKeyConnectorKeySucceeds_OkResponse(
+    public async Task PostSetKeyConnectorKeyAsync_V1_SetKeyConnectorKeySucceeds_OkResponse(
         SutProvider<AccountsKeyManagementController> sutProvider,
         SetKeyConnectorKeyRequestModel data, User expectedUser)
     {
+        data.KeyConnectorKeyWrappedUserKey = null;
+        data.AccountKeys = null;
+
         expectedUser.PublicKey = null;
         expectedUser.PrivateKey = null;
         sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
@@ -308,11 +317,92 @@ await sutProvider.GetDependency<IUserService>().Received(1)
                 Assert.Equal(data.KdfIterations, user.KdfIterations);
                 Assert.Equal(data.KdfMemory, user.KdfMemory);
                 Assert.Equal(data.KdfParallelism, user.KdfParallelism);
-                Assert.Equal(data.Keys.PublicKey, user.PublicKey);
-                Assert.Equal(data.Keys.EncryptedPrivateKey, user.PrivateKey);
+                Assert.Equal(data.Keys!.PublicKey, user.PublicKey);
+                Assert.Equal(data.Keys!.EncryptedPrivateKey, user.PrivateKey);
             }), Arg.Is(data.Key), Arg.Is(data.OrgIdentifier));
     }
 
+    [Theory]
+    [BitAutoData]
+    public async Task PostSetKeyConnectorKeyAsync_V2_UserNull_Throws(
+        SutProvider<AccountsKeyManagementController> sutProvider)
+    {
+        var data = new SetKeyConnectorKeyRequestModel
+        {
+            KeyConnectorKeyWrappedUserKey = "wrapped-user-key",
+            AccountKeys = new AccountKeysRequestModel
+            {
+                AccountPublicKey = "public-key",
+                UserKeyEncryptedAccountPrivateKey = "encrypted-private-key"
+            },
+            OrgIdentifier = "test-org"
+        };
+
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>()).ReturnsNull();
+
+        await Assert.ThrowsAsync<UnauthorizedAccessException>(() => sutProvider.Sut.PostSetKeyConnectorKeyAsync(data));
+
+        await sutProvider.GetDependency<ISetKeyConnectorKeyCommand>().DidNotReceive()
+            .SetKeyConnectorKeyForUserAsync(Arg.Any<User>(), Arg.Any<SetKeyConnectorKeyRequestModel>());
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PostSetKeyConnectorKeyAsync_V2_Success(
+        SutProvider<AccountsKeyManagementController> sutProvider,
+        User expectedUser)
+    {
+        var data = new SetKeyConnectorKeyRequestModel
+        {
+            KeyConnectorKeyWrappedUserKey = "wrapped-user-key",
+            AccountKeys = new AccountKeysRequestModel
+            {
+                AccountPublicKey = "public-key",
+                UserKeyEncryptedAccountPrivateKey = "encrypted-private-key"
+            },
+            OrgIdentifier = "test-org"
+        };
+
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .Returns(expectedUser);
+
+        await sutProvider.Sut.PostSetKeyConnectorKeyAsync(data);
+
+        await sutProvider.GetDependency<ISetKeyConnectorKeyCommand>().Received(1)
+            .SetKeyConnectorKeyForUserAsync(Arg.Is(expectedUser), Arg.Is(data));
+    }
+
+    [Theory]
+    [BitAutoData]
+    public async Task PostSetKeyConnectorKeyAsync_V2_CommandThrows_PropagatesException(
+        SutProvider<AccountsKeyManagementController> sutProvider,
+        User expectedUser)
+    {
+        var data = new SetKeyConnectorKeyRequestModel
+        {
+            KeyConnectorKeyWrappedUserKey = "wrapped-user-key",
+            AccountKeys = new AccountKeysRequestModel
+            {
+                AccountPublicKey = "public-key",
+                UserKeyEncryptedAccountPrivateKey = "encrypted-private-key"
+            },
+            OrgIdentifier = "test-org"
+        };
+
+        sutProvider.GetDependency<IUserService>().GetUserByPrincipalAsync(Arg.Any<ClaimsPrincipal>())
+            .Returns(expectedUser);
+        sutProvider.GetDependency<ISetKeyConnectorKeyCommand>()
+            .When(x => x.SetKeyConnectorKeyForUserAsync(Arg.Any<User>(), Arg.Any<SetKeyConnectorKeyRequestModel>()))
+            .Do(_ => throw new BadRequestException("Command failed"));
+
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.PostSetKeyConnectorKeyAsync(data));
+
+        Assert.Equal("Command failed", exception.Message);
+        await sutProvider.GetDependency<ISetKeyConnectorKeyCommand>().Received(1)
+            .SetKeyConnectorKeyForUserAsync(Arg.Is(expectedUser), Arg.Is(data));
+    }
+
     [Theory]
     [BitAutoData]
     public async Task PostConvertToKeyConnectorAsync_UserNull_Throws(
diff --git a/test/Core.Test/KeyManagement/Commands/SetKeyConnectorKeyCommandTests.cs b/test/Core.Test/KeyManagement/Commands/SetKeyConnectorKeyCommandTests.cs
new file mode 100644
index 000000000000..127b472798c2
--- /dev/null
+++ b/test/Core.Test/KeyManagement/Commands/SetKeyConnectorKeyCommandTests.cs
@@ -0,0 +1,209 @@
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Commands;
+using Bit.Core.KeyManagement.Models.Api.Request;
+using Bit.Core.KeyManagement.Models.Data;
+using Bit.Core.KeyManagement.Queries.Interfaces;
+using Bit.Core.OrganizationFeatures.OrganizationUsers.Interfaces;
+using Bit.Core.Repositories;
+using Bit.Core.Services;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.KeyManagement.Commands;
+
+[SutProviderCustomize]
+public class SetKeyConnectorKeyCommandTests
+{
+
+    [Theory, BitAutoData]
+    public async Task SetKeyConnectorKeyForUserAsync_Success_SetsAccountKeys(
+        User user,
+        SetKeyConnectorKeyRequestModel requestModel,
+        SutProvider<SetKeyConnectorKeyCommand> sutProvider)
+    {
+        // Set up valid V2 encryption data
+        if (requestModel.AccountKeys!.SignatureKeyPair != null)
+        {
+            requestModel.AccountKeys.SignatureKeyPair.SignatureAlgorithm = "ed25519";
+        }
+
+        var expectedAccountKeysData = requestModel.AccountKeys.ToAccountKeysData();
+
+        // Arrange
+        var userRepository = sutProvider.GetDependency<IUserRepository>();
+        var mockUpdateUserData = Substitute.For<UpdateUserData>();
+        userRepository.SetKeyConnectorUserKey(user.Id, requestModel.KeyConnectorKeyWrappedUserKey!)
+            .Returns(mockUpdateUserData);
+
+        // Act
+        await sutProvider.Sut.SetKeyConnectorKeyForUserAsync(user, requestModel);
+
+        // Assert
+        sutProvider.GetDependency<ICanUseKeyConnectorQuery>()
+            .Received(1)
+            .VerifyCanUseKeyConnector(user);
+
+        userRepository
+            .Received(1)
+            .SetKeyConnectorUserKey(user.Id, requestModel.KeyConnectorKeyWrappedUserKey);
+
+        await userRepository
+            .Received(1)
+            .SetV2AccountCryptographicStateAsync(
+                user.Id,
+                Arg.Is<UserAccountKeysData>(data =>
+                    data.PublicKeyEncryptionKeyPairData.PublicKey == expectedAccountKeysData.PublicKeyEncryptionKeyPairData.PublicKey &&
+                    data.PublicKeyEncryptionKeyPairData.WrappedPrivateKey == expectedAccountKeysData.PublicKeyEncryptionKeyPairData.WrappedPrivateKey &&
+                    data.PublicKeyEncryptionKeyPairData.SignedPublicKey == expectedAccountKeysData.PublicKeyEncryptionKeyPairData.SignedPublicKey &&
+                    data.SignatureKeyPairData!.SignatureAlgorithm == expectedAccountKeysData.SignatureKeyPairData!.SignatureAlgorithm &&
+                    data.SignatureKeyPairData.WrappedSigningKey == expectedAccountKeysData.SignatureKeyPairData.WrappedSigningKey &&
+                    data.SignatureKeyPairData.VerifyingKey == expectedAccountKeysData.SignatureKeyPairData.VerifyingKey &&
+                    data.SecurityStateData!.SecurityState == expectedAccountKeysData.SecurityStateData!.SecurityState &&
+                    data.SecurityStateData.SecurityVersion == expectedAccountKeysData.SecurityStateData.SecurityVersion),
+                Arg.Is<IEnumerable<UpdateUserData>>(actions =>
+                    actions.Count() == 1 && actions.First() == mockUpdateUserData));
+
+        await sutProvider.GetDependency<IEventService>()
+            .Received(1)
+            .LogUserEventAsync(user.Id, EventType.User_MigratedKeyToKeyConnector);
+
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>()
+            .Received(1)
+            .AcceptOrgUserByOrgSsoIdAsync(requestModel.OrgIdentifier, user, sutProvider.GetDependency<IUserService>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task SetKeyConnectorKeyForUserAsync_NullKeyConnectorKeyWrappedUserKey_ThrowsBadRequestException(
+        User user,
+        SetKeyConnectorKeyRequestModel requestModel,
+        SutProvider<SetKeyConnectorKeyCommand> sutProvider)
+    {
+        // Arrange
+        requestModel.KeyConnectorKeyWrappedUserKey = null;
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SetKeyConnectorKeyForUserAsync(user, requestModel));
+
+        Assert.Equal("KeyConnectorKeyWrappedUserKey and AccountKeys must be provided", exception.Message);
+
+        sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .SetKeyConnectorUserKey(Arg.Any<Guid>(), Arg.Any<string>());
+
+        await sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .SetV2AccountCryptographicStateAsync(Arg.Any<Guid>(), Arg.Any<UserAccountKeysData>(), Arg.Any<IEnumerable<UpdateUserData>>());
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogUserEventAsync(Arg.Any<Guid>(), Arg.Any<EventType>());
+
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>()
+            .DidNotReceiveWithAnyArgs()
+            .AcceptOrgUserByOrgSsoIdAsync(Arg.Any<string>(), Arg.Any<User>(), Arg.Any<IUserService>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task SetKeyConnectorKeyForUserAsync_EmptyKeyConnectorKeyWrappedUserKey_ThrowsBadRequestException(
+        User user,
+        SetKeyConnectorKeyRequestModel requestModel,
+        SutProvider<SetKeyConnectorKeyCommand> sutProvider)
+    {
+        // Arrange
+        requestModel.KeyConnectorKeyWrappedUserKey = string.Empty;
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SetKeyConnectorKeyForUserAsync(user, requestModel));
+
+        Assert.Equal("KeyConnectorKeyWrappedUserKey and AccountKeys must be provided", exception.Message);
+
+        sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .SetKeyConnectorUserKey(Arg.Any<Guid>(), Arg.Any<string>());
+
+        await sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .SetV2AccountCryptographicStateAsync(Arg.Any<Guid>(), Arg.Any<UserAccountKeysData>(), Arg.Any<IEnumerable<UpdateUserData>>());
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogUserEventAsync(Arg.Any<Guid>(), Arg.Any<EventType>());
+
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>()
+            .DidNotReceiveWithAnyArgs()
+            .AcceptOrgUserByOrgSsoIdAsync(Arg.Any<string>(), Arg.Any<User>(), Arg.Any<IUserService>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task SetKeyConnectorKeyForUserAsync_NullAccountKeys_ThrowsBadRequestException(
+        User user,
+        SetKeyConnectorKeyRequestModel requestModel,
+        SutProvider<SetKeyConnectorKeyCommand> sutProvider)
+    {
+        // Arrange
+        requestModel.AccountKeys = null;
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SetKeyConnectorKeyForUserAsync(user, requestModel));
+
+        Assert.Equal("KeyConnectorKeyWrappedUserKey and AccountKeys must be provided", exception.Message);
+
+        sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .SetKeyConnectorUserKey(Arg.Any<Guid>(), Arg.Any<string>());
+
+        await sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .SetV2AccountCryptographicStateAsync(Arg.Any<Guid>(), Arg.Any<UserAccountKeysData>(), Arg.Any<IEnumerable<UpdateUserData>>());
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogUserEventAsync(Arg.Any<Guid>(), Arg.Any<EventType>());
+
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>()
+            .DidNotReceiveWithAnyArgs()
+            .AcceptOrgUserByOrgSsoIdAsync(Arg.Any<string>(), Arg.Any<User>(), Arg.Any<IUserService>());
+    }
+
+    [Theory, BitAutoData]
+    public async Task SetKeyConnectorKeyForUserAsync_UserCannotUseKeyConnector_ThrowsException(
+        User user,
+        SetKeyConnectorKeyRequestModel requestModel,
+        SutProvider<SetKeyConnectorKeyCommand> sutProvider)
+    {
+        // Arrange
+        var expectedException = new BadRequestException("User cannot use Key Connector");
+        sutProvider.GetDependency<ICanUseKeyConnectorQuery>()
+            .When(x => x.VerifyCanUseKeyConnector(user))
+            .Throw(expectedException);
+
+        // Act & Assert
+        var exception = await Assert.ThrowsAsync<BadRequestException>(
+            () => sutProvider.Sut.SetKeyConnectorKeyForUserAsync(user, requestModel));
+
+        Assert.Equal(expectedException.Message, exception.Message);
+
+        sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .SetKeyConnectorUserKey(Arg.Any<Guid>(), Arg.Any<string>());
+
+        await sutProvider.GetDependency<IUserRepository>()
+            .DidNotReceiveWithAnyArgs()
+            .SetV2AccountCryptographicStateAsync(Arg.Any<Guid>(), Arg.Any<UserAccountKeysData>(), Arg.Any<IEnumerable<UpdateUserData>>());
+
+        await sutProvider.GetDependency<IEventService>()
+            .DidNotReceiveWithAnyArgs()
+            .LogUserEventAsync(Arg.Any<Guid>(), Arg.Any<EventType>());
+
+        await sutProvider.GetDependency<IAcceptOrgUserCommand>()
+            .DidNotReceiveWithAnyArgs()
+            .AcceptOrgUserByOrgSsoIdAsync(Arg.Any<string>(), Arg.Any<User>(), Arg.Any<IUserService>());
+    }
+}
diff --git a/test/Core.Test/KeyManagement/Models/Api/Request/SetKeyConnectorKeyRequestModelTests.cs b/test/Core.Test/KeyManagement/Models/Api/Request/SetKeyConnectorKeyRequestModelTests.cs
new file mode 100644
index 000000000000..64fbd3d753f3
--- /dev/null
+++ b/test/Core.Test/KeyManagement/Models/Api/Request/SetKeyConnectorKeyRequestModelTests.cs
@@ -0,0 +1,243 @@
+using System.ComponentModel.DataAnnotations;
+using Bit.Core.Auth.Models.Api.Request.Accounts;
+using Bit.Core.Enums;
+using Bit.Core.KeyManagement.Models.Api.Request;
+using Xunit;
+
+namespace Bit.Core.Test.KeyManagement.Models.Api.Request;
+
+public class SetKeyConnectorKeyRequestModelTests
+{
+    private const string _wrappedUserKey = "2.AOs41Hd8OQiCPXjyJKCiDA==|O6OHgt2U2hJGBSNGnimJmg==|iD33s8B69C8JhYYhSa4V1tArjvLr8eEaGqOV7BRo5Jk=";
+    private const string _publicKey = "public-key";
+    private const string _privateKey = "private-key";
+    private const string _userKey = "user-key";
+    private const string _orgIdentifier = "org-identifier";
+
+    [Fact]
+    public void Validate_V2Registration_Valid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            KeyConnectorKeyWrappedUserKey = _wrappedUserKey,
+            AccountKeys = new AccountKeysRequestModel
+            {
+                AccountPublicKey = _publicKey,
+                UserKeyEncryptedAccountPrivateKey = _privateKey
+            },
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Empty(results);
+    }
+
+    [Fact]
+    public void Validate_V2Registration_WrappedUserKeyNotEncryptedString_Invalid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            KeyConnectorKeyWrappedUserKey = "not-encrypted-string",
+            AccountKeys = new AccountKeysRequestModel
+            {
+                AccountPublicKey = _publicKey,
+                UserKeyEncryptedAccountPrivateKey = _privateKey
+            },
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Single(results);
+        Assert.Contains(results,
+            r => r.ErrorMessage == "KeyConnectorKeyWrappedUserKey is not a valid encrypted string.");
+    }
+
+    [Fact]
+    public void Validate_V1Registration_Valid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            Key = _userKey,
+            Keys = new KeysRequestModel
+            {
+                PublicKey = _publicKey,
+                EncryptedPrivateKey = _privateKey
+            },
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Empty(results);
+    }
+
+    [Fact]
+    public void Validate_V1Registration_MissingKey_Invalid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            Key = null,
+            Keys = new KeysRequestModel
+            {
+                PublicKey = _publicKey,
+                EncryptedPrivateKey = _privateKey
+            },
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Single(results);
+        Assert.Contains(results, r => r.ErrorMessage == "Key must be supplied.");
+    }
+
+    [Fact]
+    public void Validate_V1Registration_MissingKeys_Invalid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            Key = _userKey,
+            Keys = null,
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Single(results);
+        Assert.Contains(results, r => r.ErrorMessage == "Keys must be supplied.");
+    }
+
+    [Fact]
+    public void Validate_V1Registration_MissingKdf_Invalid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            Key = _userKey,
+            Keys = new KeysRequestModel
+            {
+                PublicKey = _publicKey,
+                EncryptedPrivateKey = _privateKey
+            },
+            Kdf = null,
+            KdfIterations = AuthConstants.PBKDF2_ITERATIONS.Default,
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Single(results);
+        Assert.Contains(results, r => r.ErrorMessage == "Kdf must be supplied.");
+    }
+
+    [Fact]
+    public void Validate_V1Registration_MissingKdfIterations_Invalid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            Key = _userKey,
+            Keys = new KeysRequestModel
+            {
+                PublicKey = _publicKey,
+                EncryptedPrivateKey = _privateKey
+            },
+            Kdf = KdfType.PBKDF2_SHA256,
+            KdfIterations = null,
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Single(results);
+        Assert.Contains(results, r => r.ErrorMessage == "KdfIterations must be supplied.");
+    }
+
+    [Fact]
+    public void Validate_V1Registration_Argon2id_MissingKdfMemory_Invalid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            Key = _userKey,
+            Keys = new KeysRequestModel
+            {
+                PublicKey = _publicKey,
+                EncryptedPrivateKey = _privateKey
+            },
+            Kdf = KdfType.Argon2id,
+            KdfIterations = AuthConstants.ARGON2_ITERATIONS.Default,
+            KdfMemory = null,
+            KdfParallelism = AuthConstants.ARGON2_PARALLELISM.Default,
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Single(results);
+        Assert.Contains(results, r => r.ErrorMessage == "KdfMemory must be supplied when Kdf is Argon2id.");
+    }
+
+    [Fact]
+    public void Validate_V1Registration_Argon2id_MissingKdfParallelism_Invalid()
+    {
+        // Arrange
+        var model = new SetKeyConnectorKeyRequestModel
+        {
+            Key = _userKey,
+            Keys = new KeysRequestModel
+            {
+                PublicKey = _publicKey,
+                EncryptedPrivateKey = _privateKey
+            },
+            Kdf = KdfType.Argon2id,
+            KdfIterations = AuthConstants.ARGON2_ITERATIONS.Default,
+            KdfMemory = AuthConstants.ARGON2_MEMORY.Default,
+            KdfParallelism = null,
+            OrgIdentifier = _orgIdentifier
+        };
+
+        // Act
+        var results = Validate(model);
+
+        // Assert
+        Assert.Single(results);
+        Assert.Contains(results, r => r.ErrorMessage == "KdfParallelism must be supplied when Kdf is Argon2id.");
+    }
+
+    private static List<ValidationResult> Validate(SetKeyConnectorKeyRequestModel model)
+    {
+        var results = new List<ValidationResult>();
+        Validator.TryValidateObject(model, new ValidationContext(model), results, true);
+        return results;
+    }
+}
diff --git a/test/Core.Test/KeyManagement/Queries/CanUseKeyConnectorQueryTests.cs b/test/Core.Test/KeyManagement/Queries/CanUseKeyConnectorQueryTests.cs
new file mode 100644
index 000000000000..c98f2379b3dd
--- /dev/null
+++ b/test/Core.Test/KeyManagement/Queries/CanUseKeyConnectorQueryTests.cs
@@ -0,0 +1,104 @@
+using Bit.Core.Context;
+using Bit.Core.Entities;
+using Bit.Core.Enums;
+using Bit.Core.Exceptions;
+using Bit.Core.KeyManagement.Queries;
+using Bit.Test.Common.AutoFixture;
+using Bit.Test.Common.AutoFixture.Attributes;
+using NSubstitute;
+using Xunit;
+
+namespace Bit.Core.Test.KeyManagement.Queries;
+
+[SutProviderCustomize]
+public class CanUseKeyConnectorQueryTests
+{
+    [Theory]
+    [BitAutoData]
+    public void VerifyCanUseKeyConnector_UserAlreadyUsesKeyConnector_ThrowsBadRequestException(
+        SutProvider<CanUseKeyConnectorQuery> sutProvider,
+        User user)
+    {
+        // Arrange
+        user.UsesKeyConnector = true;
+        sutProvider.GetDependency<ICurrentContext>().Organizations.Returns(new List<CurrentContextOrganization>());
+
+        // Act & Assert
+        var exception = Assert.Throws<BadRequestException>(() =>
+            sutProvider.Sut.VerifyCanUseKeyConnector(user));
+
+        Assert.Equal("Already uses Key Connector.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void VerifyCanUseKeyConnector_UserIsOwnerOfOrganization_ThrowsBadRequestException(
+        SutProvider<CanUseKeyConnectorQuery> sutProvider,
+        User user)
+    {
+        // Arrange
+        user.UsesKeyConnector = false;
+        var organizations = new List<CurrentContextOrganization>
+        {
+            new CurrentContextOrganization
+            {
+                Id = Guid.NewGuid(),
+                Type = OrganizationUserType.Owner
+            }
+        };
+        sutProvider.GetDependency<ICurrentContext>().Organizations.Returns(organizations);
+
+        // Act & Assert
+        var exception = Assert.Throws<BadRequestException>(() =>
+            sutProvider.Sut.VerifyCanUseKeyConnector(user));
+
+        Assert.Equal("Cannot use Key Connector when admin or owner of an organization.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void VerifyCanUseKeyConnector_UserIsAdminOfOrganization_ThrowsBadRequestException(
+        SutProvider<CanUseKeyConnectorQuery> sutProvider,
+        User user)
+    {
+        // Arrange
+        user.UsesKeyConnector = false;
+        var organizations = new List<CurrentContextOrganization>
+        {
+            new CurrentContextOrganization
+            {
+                Id = Guid.NewGuid(),
+                Type = OrganizationUserType.Admin
+            }
+        };
+        sutProvider.GetDependency<ICurrentContext>().Organizations.Returns(organizations);
+
+        // Act & Assert
+        var exception = Assert.Throws<BadRequestException>(() =>
+            sutProvider.Sut.VerifyCanUseKeyConnector(user));
+
+        Assert.Equal("Cannot use Key Connector when admin or owner of an organization.", exception.Message);
+    }
+
+    [Theory]
+    [BitAutoData]
+    public void VerifyCanUseKeyConnector_UserIsNotOwnerOrAdmin_Success(
+        SutProvider<CanUseKeyConnectorQuery> sutProvider,
+        User user)
+    {
+        // Arrange
+        user.UsesKeyConnector = false;
+        var organizations = new List<CurrentContextOrganization>
+        {
+            new CurrentContextOrganization
+            {
+                Id = Guid.NewGuid(),
+                Type = OrganizationUserType.User
+            }
+        };
+        sutProvider.GetDependency<ICurrentContext>().Organizations.Returns(organizations);
+
+        // Act - should not throw
+        sutProvider.Sut.VerifyCanUseKeyConnector(user);
+    }
+}
diff --git a/test/Infrastructure.IntegrationTest/Auth/Repositories/UserRepositoryTests.cs b/test/Infrastructure.IntegrationTest/Repositories/UserRepositoryTests.cs
similarity index 81%
rename from test/Infrastructure.IntegrationTest/Auth/Repositories/UserRepositoryTests.cs
rename to test/Infrastructure.IntegrationTest/Repositories/UserRepositoryTests.cs
index dd84df07be25..643421bedf4a 100644
--- a/test/Infrastructure.IntegrationTest/Auth/Repositories/UserRepositoryTests.cs
+++ b/test/Infrastructure.IntegrationTest/Repositories/UserRepositoryTests.cs
@@ -1,9 +1,11 @@
-using Bit.Core.AdminConsole.Repositories;
+using Bit.Core;
+using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Entities;
 using Bit.Core.Enums;
 using Bit.Core.Models.Data;
 using Bit.Core.Repositories;
 using Bit.Infrastructure.IntegrationTest.AdminConsole;
+using Microsoft.Data.SqlClient;
 using Xunit;
 
 namespace Bit.Infrastructure.IntegrationTest.Repositories;
@@ -179,4 +181,54 @@ public async Task DeleteManyAsync_WhenUsersHaveDefaultUserCollections_MigratesTo
         Assert.Equal(CollectionType.SharedCollection, updatedCollection2.Type);
         Assert.Equal(user2.Email, updatedCollection2.DefaultUserCollectionEmail);
     }
+
+    [Theory, DatabaseData]
+    public async Task SetKeyConnectorUserKey_UpdatesUserKey(IUserRepository userRepository, Database database)
+    {
+        var user = await userRepository.CreateTestUserAsync();
+
+        const string keyConnectorWrappedKey = "key-connector-wrapped-user-key";
+
+        var setKeyConnectorUserKeyDelegate = userRepository.SetKeyConnectorUserKey(user.Id, keyConnectorWrappedKey);
+
+        await RunUpdateUserDataAsync(setKeyConnectorUserKeyDelegate, database);
+
+        var updatedUser = await userRepository.GetByIdAsync(user.Id);
+
+        Assert.NotNull(updatedUser);
+        Assert.Equal(keyConnectorWrappedKey, updatedUser.Key);
+        Assert.True(updatedUser.UsesKeyConnector);
+        Assert.Equal(KdfType.Argon2id, updatedUser.Kdf);
+        Assert.Equal(AuthConstants.ARGON2_ITERATIONS.Default, updatedUser.KdfIterations);
+        Assert.Equal(AuthConstants.ARGON2_MEMORY.Default, updatedUser.KdfMemory);
+        Assert.Equal(AuthConstants.ARGON2_PARALLELISM.Default, updatedUser.KdfParallelism);
+        Assert.Equal(DateTime.UtcNow, updatedUser.RevisionDate, TimeSpan.FromMinutes(1));
+        Assert.Equal(DateTime.UtcNow, updatedUser.AccountRevisionDate, TimeSpan.FromMinutes(1));
+    }
+
+    private static async Task RunUpdateUserDataAsync(UpdateUserData task, Database database)
+    {
+        if (database.Type == SupportedDatabaseProviders.SqlServer && !database.UseEf)
+        {
+            await using var connection = new SqlConnection(database.ConnectionString);
+            connection.Open();
+
+            await using var transaction = connection.BeginTransaction();
+            try
+            {
+                await task(connection, transaction);
+
+                transaction.Commit();
+            }
+            catch
+            {
+                transaction.Rollback();
+                throw;
+            }
+        }
+        else
+        {
+            await task();
+        }
+    }
 }
diff --git a/util/Migrator/DbScripts/2025-12-11_00_User_UpdateKeyConnectorUserKey.sql b/util/Migrator/DbScripts/2025-12-11_00_User_UpdateKeyConnectorUserKey.sql
new file mode 100644
index 000000000000..cbf9ff5b7805
--- /dev/null
+++ b/util/Migrator/DbScripts/2025-12-11_00_User_UpdateKeyConnectorUserKey.sql
@@ -0,0 +1,35 @@
+IF OBJECT_ID('[dbo].[User_UpdateKeyConnectorUserKey]') IS NOT NULL
+BEGIN
+    DROP PROCEDURE [dbo].[User_UpdateKeyConnectorUserKey]
+END
+GO
+
+CREATE PROCEDURE [dbo].[User_UpdateKeyConnectorUserKey]
+    @Id UNIQUEIDENTIFIER,
+    @Key NVARCHAR(MAX),
+    @Kdf TINYINT,
+    @KdfIterations INT,
+    @KdfMemory INT,
+    @KdfParallelism INT,
+    @UsesKeyConnector BIT,
+    @RevisionDate DATETIME2(7),
+    @AccountRevisionDate DATETIME2(7)
+AS
+BEGIN
+    SET NOCOUNT ON
+
+UPDATE
+    [dbo].[User]
+SET
+    [Key] = @Key,
+    [Kdf] = @Kdf,
+    [KdfIterations] = @KdfIterations,
+    [KdfMemory] = @KdfMemory,
+    [KdfParallelism] = @KdfParallelism,
+    [UsesKeyConnector] = @UsesKeyConnector,
+    [RevisionDate] = @RevisionDate,
+    [AccountRevisionDate] = @AccountRevisionDate
+WHERE
+    [Id] = @Id
+END
+GO