Hello,
For a security raison of some sensitive data, i ask you if the password of the user and the SSH key are crypted or not? Thanks,
Cordially,
Mohamed Amine JARBOUI
Devops Intern
Password of user and SSH keys are encrypted.
Data is encrypted before it is saved to the database and is decrypted when required. The encryption/decryption process derives the AES-256 bit encryption key from <SECRET_KEY, field_name, primary_key> where field_name is the name of the Model field and primary_key is the database assigned auto-incremented record ID. Thus, if any attribute used in the key generation process changes, Tower fails to correctly decrypt the secret
You can verify it by following steps:
1. Go to the postgres container
docker exec –it postgres /bin/bash
2. Login to AWX user:
# psql –U awx
3. List the databse that exist:
#\list
4. Connect to awx database:
#\c awx
5. List all table in database:
#\d
6. Fetch details of specific table as per your wish(In this case user password is saved in auth_user table)
#SELECT * FROM auth_user;
Best regards.
How can we rotate the secret_key? Is this possible? Perhaps with awx-manage or other commands executed directly on the DB?
Hey Harrison,
There’s a command for doing this, awx-manage regenerate_secret_key
https://github.com/ansible/awx/blob/devel/awx/main/management/commands/regenerate_secret_key.py
Running this command generates a new key and decrypts/re-encrypts all the secrets in the database. When it’s finished, the new key is printed and must be updated:
https://github.com/ansible/awx/blob/devel/installer/inventory#L116
The k8s installer that can handle much of this for you:
I highly recommend backing up this key (and a dump of your database) before and after just so no mistakes are made.
Wonderful! Thanks!