Customize a Secret Key for DM Encryption and Decryption
Before v8.0.0, DM uses a fixed AES-256 secret key to encrypt and decrypt passwords in the data source and migration task configurations. However, using a fixed secret key might pose security risks, especially in environments where security is crucial. To enhance security, starting from v8.0.0, DM removes the fixed secret key and enables you to customize a secret key.
Usage
- Create a custom key file, which must contain a 64-character hexadecimal AES-256 secret key. One way to generate this key is by calculating SHA256 checksum of random data, such as
head -n 256 /dev/urandom | sha256sum
. - In the DM-master command-line flags or configuration file, specify
secret-key-path
as the path of your custom key file.
Upgrade from a version earlier than v8.0.0
Because DM no longer uses the fixed secret key starting from v8.0.0, pay attention to the following when upgrading DM from versions earlier than v8.0.0:
- If plaintext passwords are used in both data source configurations and migration task configurations, no additional steps are required for the upgrade.
- If encrypted passwords are used in data source configurations and migration task configurations or if you want to use encrypted passwords in the future, you need to do the following:
- Add the
secret-key-path
parameter to the DM-master configuration file and specify it as the path of your custom key file. The file must contain a 64-character hexadecimal AES-256 key. If the fixed AES-256 secret key was used for encryption before upgrading, you can copy this secret key to your key file. Make sure all DM-master nodes use the same secret key configuration. - Perform a rolling upgrade of DM-master first, followed by a rolling upgrade of DM-worker. For more information, see Rolling upgrade.
- Add the
Update the secret key for encryption and decryption
To update the secret key used for encryption and decryption, take the following steps:
Update
secret-key-path
in the DM-master configuration file.Perform a rolling restart of DM-master.
Use the passwords encrypted with
tiup dmctl encrypt
(dmctl version >= v8.0.0) when you create new data source configuration files and migration task configuration files.