Customize a Secret Key for DM Encryption and Decryption

Before v8.0.0, DM uses a fixed AES-256 secret key to encrypt and decrypt passwords in the data source and migration task configurations. However, using a fixed secret key might pose security risks, especially in environments where security is crucial. To enhance security, starting from v8.0.0, DM removes the fixed secret key and enables you to customize a secret key.

Usage

  1. Create a custom key file, which must contain a 64-character hexadecimal AES-256 secret key. One way to generate this key is by calculating SHA256 checksum of random data, such as head -n 256 /dev/urandom | sha256sum.
  2. In the DM-master command-line flags or configuration file, specify secret-key-path as the path of your custom key file.

Upgrade from a version earlier than v8.0.0

Because DM no longer uses the fixed secret key starting from v8.0.0, pay attention to the following when upgrading DM from versions earlier than v8.0.0:

Update the secret key for encryption and decryption

To update the secret key used for encryption and decryption, take the following steps:

  1. Update secret-key-path in the DM-master configuration file.

  2. Perform a rolling restart of DM-master.

  3. Use the passwords encrypted with tiup dmctl encrypt (dmctl version >= v8.0.0) when you create new data source configuration files and migration task configuration files.

Was this page helpful?