Skip to content

Pulp Project

Configure DB Encryption

Pulp Project

Home
User Manual
User Manual
- Core
  Core
  - Pulp Core
    
    Pulp Core
    
    Usage
    Usage
    
    Tutorials
    
    Tutorials
    
    How-to Guides
    How-to Guides
    
    Create client bindings
    
    Enable and create Domains
    
    Manage Labels
    
    Reclaim disk space
    
    Repair Pulp
    
    Troubleshoot tasks
    
    Update Repository Version Retention
    
    Upload and Publish Content
    
    Use Complex Filtering
    
    Learn More
    Learn More
    
    Concepts and Terminology
    
    Changes From Pulp 2
    
    Lifecyle Promotion Support
    
    On-Demand Downloading
    
    Pulp Versioning
    
    Administration
    Administration
    
    How-to Guides
    How-to Guides
    
    Authentication
    Authentication
    
    Using Basic Auth
    
    Using external service
    
    Using Keycloak
    
    Using JSON Header
    
    Configure Pulp
    
    Import/Export Repositories
    
    Integrate Kafka
    
    Integrate with Sentry or GlitchTip
    
    Remove Plugins
    
    Sign Metadata
    
    Troubleshoot
    
    Learn More
    Learn More
    
    Architecture
    
    Reference
    Reference
    
    Settings
    
    Tech Previews
    
    REST API
    
    Changelog
- Content
  Content
  - Ansible
    
    Ansible
    
    Usage
    
    Usage
    
    How-to Guides
    How-to Guides
    
    Collection Workflows
    
    Copy Workflows
    
    Role Workflows
    
    Signature Workflows
    
    Administration
    Administration
    
    Reference
    Reference
    
    Settings
    
    REST API
    
    Changelog
  - Container
    
    Container
    
    Usage
    Usage
    
    Tutorials
    Tutorials
    
    Mirror and Host Images
    
    How-to Guides
    How-to Guides
    
    Manage Cosign Signatures
    
    Manage Credentials
    
    Manage Flatpak Images
    
    Manage Helm Charts
    
    Manage Images
    
    Push Images
    
    Registry catalog
    
    Administration
    Administration
    
    How-to Guides
    How-to Guides
    
    Build Images
    
    OCI Artifacts Support
    
    Customize Access Policies
    
    Customize Roles
    
    Export and Import Images
    
    Migrate from Permissions to Roles
    
    Configure Pull-Through Caching
    
    Sign Images
    
    Learn More
    Learn More
    
    Authentication
    
    Role-based Access Control
    
    Tech Previews
    
    REST API
    
    Changelog
  - Debian
    
    Debian
    
    Usage
    
    Usage
    
    How-to Guides
    How-to Guides
    
    Setting up API tooling
    
    Repository Synchronization
    
    Package Uploads
    
    Publish Repositories
    
    Signing Service Creation
    
    Advanced Copy
    
    Configuring Checksums
    
    REST API
    
    Changelog
  - File
    
    File
    
    Usage
    Usage
    
    How-to Guides
    How-to Guides
    
    Synchronize a Repository
    
    Publish and Host
    
    Upload Content
    
    Administration
    Administration
    
    How-to Guides
    How-to Guides
    
    Role Based Access Control
    
    Alternate Content Sources
    
    REST API
    
    Changelog
  - Gem
    
    Gem
    
    Usage
    Usage
    
    Tutorials
    Tutorials
    
    Quickstart
    
    Using Custom Certificates
    
    How-to Guides
    How-to Guides
    
    Upload and Manage Content
    
    Synchronize a Repository
    
    Publish and Host a Repository
    
    Cache rubygems.org
    
    REST API
    
    Changelog
  - Maven
    
    Maven
    
    Usage
    Usage
    
    Tutorials
    Tutorials
    
    Quickstart
    
    How-to Guides
    How-to Guides
    
    Cache a Maven Repository
    
    Deploy a project to Pulp
    
    REST API
    
    Changelog
  - OSTree
    
    OSTree
    
    Usage
    
    Usage
    
    Tutorials
    Tutorials
    
    Mirror and Host Content
    
    How-to Guides
    How-to Guides
    
    Import Commit
    
    Modify Content
    
    REST API
    
    Changelog
  - Python
    
    Python
    
    Usage
    Usage
    
    How-to Guides
    How-to Guides
    
    Setup your own PyPI
    
    Sync from Remote Repositories
    
    Upload and Manage Content
    
    Publish and Host Python Content
    
    Learn More
    Learn More
    
    Tech previews
    
    Administration
    Administration
    
    How-to Guides
    How-to Guides
    
    Role Base Access Control in Pulp Python
    
    Reference
    Reference
    
    Settings
    
    REST API
    
    Changelog
  - RPM
    
    RPM
    
    Usage
    
    Usage
    
    Tutorials
    Tutorials
    
    Create, Sync and Publish a Repository
    
    How-to Guides
    How-to Guides
    
    Get Content from Pulp
    
    Upload Content
    
    Modify Content
    
    Alternate Content Source
    
    Sign Repository Metadata
    
    Sign Packages
    
    Prune Packages
    
    Learn More
    Learn More
    
    Core RPM Concepts
    
    Administration
    
    Administration
    
    How-to Guides
    How-to Guides
    
    Register Signing Services
    
    Configure Role Based Access Control
    
    Reference
    Reference
    
    Settings
    
    REST API
    
    Changelog
- Deployment
  Deployment
  - Operator
    
    Operator
    
    Usage
    Usage
    
    Tutorials
    Tutorials
    
    Getting started
    
    How-to Guides
    How-to Guides
    
    Common issues
    
    Administration
    
    Administration
    
    Tutorials
    Tutorials
    
    Quickstart with Kubernetes
    
    Quickstart with OpenShift
    
    How-to Guides
    How-to Guides
    
    Backup and restore
    Backup and restore
    
    Overview of Backup/Restore Operations
    
    Configure and Run Backup/Restore
    
    Schedule Backups
    
    Configurations
    Configurations
    
    Configure Pulp Cache
    
    Configure Pulp Allowed Content Checksums
    
    Certificate injection in Pulp containers
    
    Configure Custom Environment Variables
    
    Configure Pulp Database
    
    Galaxy Deployment
    
    LDAP Authentication
    
    LOG LEVEL
    
    Configure Metadata Signing
    
    Specify a Disruption Budget
    
    Advanced pod scheduling
    
    Setting Pod Resources
    
    Settings
    
    Reset Pulp Admin Password
    
    Pulp Operator Secrets
    
    Pulp Operator storage configuration
    
    Enable metrics collection
    
    Disable the Operator
    
    Networking
    Networking
    
    Expose Pulp to outside of Kubernetes cluster
    
    Reverse Proxy
    
    Routes
    
    Install
    Install
    
    Highly Available Pulp
    
    Install Pulp Operator with Helm
    
    Install Pulp Operator in OpenShift environments
    
    Troubleshoot
    Troubleshoot
    
    Gather data about Pulp installation
    
    Troubleshoot installations
    
    Learn More
    Learn More
    
    Basic Concepts
    
    Reference
    Reference
    
    Pulp Images
    
    Custom resources
    Custom resources
    
    Backup
    
    Repo manager
    
    Restore
    
    Changelog
  - Pulp OCI Images
    
    Pulp OCI Images
    
    Administration
    Administration
    
    Tutorials
    Tutorials
    
    Quickstart
    
    How-to Guides
    How-to Guides
    
    Build your own Pulp image
    
    Configure an SSL Certificate
    
    Configure DB Encryption Configure DB Encryption
    Table of contents
    
    ROTATING THE DATABASE ENCRYPTION KEY
    
    Configure a Signing Service
    
    Migrate from pulp_installer to a multi-process container
    
    Reference
    Reference
    
    Available images
    
    Available images
    
    Multi-Process Images
    
    Single-Process Images
    
    Changelog
- Interaction
  Interaction
  - OpenAPI Generator
    
    OpenAPI Generator
    
    Usage
    
    Usage
    
    How-to Guides
    How-to Guides
    
    Generate Bindings
    
    Changelog
  - Pulp CLI
    
    Pulp CLI
    
    Usage
    Usage
    
    How-to Guides
    How-to Guides
    
    Installation
    
    Configuration
    
    Advanced Features
    
    Reference
    Reference
    
    Using the CLI
    
    Supported Workflows
    
    Authentication Methods
    
    Changelog
  - Pulp Glue
    
    Pulp Glue
    
    Changelog
  - Pulp UI
    
    Pulp UI
    
    Changelog
- Other
  Other
  - Certguard
    
    Certguard
    
    Usage
    Usage
    
    Tutorials
    Tutorials
    
    Quickstart
    
    Configure yum/dnf
    
    Learn More
    Learn More
    
    Debugging
    
    Overview
    
    Administration
    Administration
    
    How-to Guides
    How-to Guides
    
    Reverse Proxy Config
    
    Changelog
  - Selinux
    
    Selinux
    
    Administration
    
    Administration
    
    How-to Guides
    How-to Guides
    
    Extend webserver support
    
    Changelog
Developer Manual
Developer Manual
- Core
  Core
  - Pulp Core
    
    Pulp Core
    
    Tutorials
    Tutorials
    
    Contributing with docs
    
    Contributing with code
    
    How-to Guides
    How-to Guides
    
    Git
    
    Plugin Walkthrough
    
    Pull Request Walkthrough
    
    Write and run tests
    
    Learn More
    Learn More
    
    Plugin Concepts
    
    Architecture
    Architecture
    
    Pulp Platform Application Layout
    
    REST API Guidelines
    
    Domains
    Domains
    
    Adding Domain Compatibility to a Plugin
    
    Other
    Other
    
    Content Protection
    
    Documentation
    
    Error Handling
    
    How Plugins Work
    
    Documenting your API
    
    Metadata Signing
    
    Object Relationships
    
    On-Demand Support
    
    Plugin Planning Guide
    
    Releasing Your Plugin
    
    Task Scheduling
    
    Rbac
    
    Rbac
    
    Defining an Access Policy
    
    Adding Automatic Permissions for New Objects
    
    Permissions and Roles
    
    Restricting Viewable Objects
    
    Users and Groups
    
    Subclassing
    Subclassing
    
    Pulp Import/Export
    
    Models
    
    Pull-Through Caching
    
    Pulp Replication
    
    Serializers
    
    Viewsets
    
    Sync pipeline
    Sync pipeline
    
    Synchronizing Repositories with the async-Pipeline
    
    Tasks
    Tasks
    
    Adding and Removing Content
    
    Diagnostics
    
    Publish
    
    Reference
    Reference
    
    Code Style Guide
    
    Code api
    Code api
    
    Base Models
    
    Platform api
    
    Platform api
    
    pulp.constants
    
    pulp.exceptions
    
    pulp.tasking
    
    App
    
    App
    
    pulp.app.apps
    
    pulp.app.auth
    
    pulp.app.models
    
    pulp.app.response
    
    pulp.app.serializers
    
    pulp.app.settings
    
    pulp.app.urls
    
    pulp.app.viewsets
    
    Plugins api
    
    Plugins api
    
    pulpcore.plugin.content
    
    pulpcore.plugin.download
    
    pulpcore.plugin.exceptions
    
    pulpcore.plugin.models
    
    pulpcore.plugin.serializers
    
    pulpcore.plugin.stages
    
    pulpcore.plugin.storage
    
    pulpcore.plugin.tasking
    
    pulpcore.plugin.util
    
    pulpcore.plugin.viewsets
- Content
  Content
  - Ansible
    
    Ansible
    
    Reference
    Reference
    
    Testing
  - Debian
    
    Debian
    
    How-to Guides
    How-to Guides
    
    Client Bindings
    
    Plugin Maintenance
  - RPM
    
    RPM
    
    How-to Guides
    How-to Guides
    
    Client Bindings
- Deployment
  Deployment
  - Operator
    
    Operator
  - Pulp OCI Images
    
    Pulp OCI Images
    
    How-to Guides
    How-to Guides
    
    Release an Image
- Interaction
  Interaction
  - OpenAPI Generator
    
    OpenAPI Generator
  - Pulp CLI
    
    Pulp CLI
    
    How-to Guides
    How-to Guides
    
    Contributing to the CLI
    
    Learn More
    Learn More
    
    Pulp CLI Architecture
    
    Reference
    Reference
    
    pulpcore.cli.common.generic
  - Pulp Glue
    
    Pulp Glue
    
    Learn More
    Learn More
    
    Pulp Glue Architecture
    
    Reference
    Reference
    
    pulp_glue.common.context
    
    pulp_glue.common.i18n
    
    pulp_glue.common.openapi
    
    pulp_glue.core.context
- Other
  Other
  - OCI Env
    
    OCI Env
    
    Tutorials
    Tutorials
    
    Getting started
    
    How-to Guides
    How-to Guides
    
    Create Custom Profiles
    
    Run multiple environments
    
    Run Tests
    
    Troubleshooting
    Troubleshooting
    
    MacOS machines
    
    Learn More
    Learn More
    
    How it Works
    
    Reference
    Reference
    
    Profile Configuration
    
    Profiles
    Profiles
    
    galaxy_base
    
    galaxy_ui
    
    local_fixtures
    
    OpenTelemetry Developer Environment Profile
    
    pminio
    
    pulp_ansible_base
    
    pulp_container_base
    
    pulp_rpm_base
  - Pulp Docs
    
    Pulp Docs
    
    Tutorials
    Tutorials
    
    Getting Started
    
    How-to Guides
    How-to Guides
    
    Create plugin Overview Pages
    
    Reference
    Reference
    
    Architecture
    
    Markdown Cheatsheet
  - Selinux
    
    Selinux
    
    How-to Guides
    How-to Guides
    
    Release Guide
Blog
Blog
- Archive
  Archive
  - 2024
  - 2023
  - 2022
  - 2021
  - 2020
  - 2019
  - 2018
  - 2017
  - 2016
  - 2015
  - 2014
  - 2013
  - 2012
  - 2011
- Categories
  Categories
  - 2.0
  - Development
  - Releases
  - Spotlight
  - Uncategorized
Help
Help
- Community
  Community
  - Get involved
  - PulpCon
- More
  More
  - Documentation Usage
  - Why Pulp?
  - Governance
    Governance
    
    Code of Conduct
    
    Privacy Policy

Configure DB Encryption¶

Pulp uses a symmetric fernet key to encrypt sensitive fields in the database.
The default location of the key is /etc/pulp/certs/database_fields.symmetric.key.

The key is automatically generated and is stored in /etc/pulp/certs/database_fields.symmetric.key.
The script to generate the key can be found at: https://github.com/pulp/pulp-oci-images/blob/latest/images/s6_assets/init/db-fields-key-create

list of commands that db-fields-key-create script runs to generate the key:

openssl rand -base64 32 > /etc/pulp/certs/database_fields.symmetric.key
chmod 640 /etc/pulp/certs/database_fields.symmetric.key
chown root:pulp /etc/pulp/certs/database_fields.symmetric.key

ROTATING THE DATABASE ENCRYPTION KEY¶

It is not possible to rotate the database encryption key yet.
Check pulpcore issue #2048 for further information: https://github.com/pulp/pulpcore/issues/2048