Skip to content

Database Encryption

Pulp attempts to protect certain pieces of sensitive data by storing some fields encrypted. For example this includes credentials used by remotes, storage configurations for domains and generally task arguments. The encryption is performed using a symmetric fernet key. It must be provided as a url-safe base64-encoded string of 32 random bytes in a file. This file is then referenced by the DB_ENCRYPTION_KEY setting and must be unique to the whole installation. In containerized deployments, the setting can point to a properly shaped cluster secret.

Note

Such a key is automatically generated by default when using the pulp-oci-images.

Warning

This key should take part in your backup strategy. Loosing it results failures to operate Pulp.

To generate such a key with openssl, use:

openssl rand -base64 32 > /etc/pulp/certs/database_fields.symmetric.key

Key Rotation

This file can contain multiple such keys (one per line). The key in the first line will be used for encryption but all others will still be attempted to decrypt old tokens. This can help you to rotate this key in the following way:

Key Rotation with Downtime

  1. Shut down all Pulp services (api, content and worker processes).
  2. Add a new key at the top of the key file.
  3. Call pulpcore-manager rotate-db-key.
  4. Remove the old key (on the second line) from the key file.
  5. Start the Pulp services again.

Key Rotation without Downtime

For a zero downtime key rotation you can follow the slightly more complex recipe:

  1. Add a new key at the bottom of the key file.
  2. Restart the Pulp services in the usual phased manner.
  3. Swap the keys in the key file.
  4. Restart the Pulp services again.
  5. Call pulpcore-manager rotate-db-key.
  6. Remove the old key (on the second line) from the key file.
  7. Restart the Pulp services for the last time.