debian-mirror-gitlab/doc/development/application_secrets.md

---
stage: none
group: unassigned
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
---

# Application secrets

This page is a development guide for application secrets.

## Secret entries

|Entry                             |Description                                                        |
|---                               |---                                                                |
|`secret_key_base`                 | The base key to be used for generating a various secrets          |
| `otp_key_base`                   | The base key for One Time Passwords, described in [User management](../raketasks/user_management.md#rotate-two-factor-authentication-encryption-key)              |
|`db_key_base`                     | The base key to encrypt the data for `attr_encrypted` columns     |
|`openid_connect_signing_key`      | The signing key for OpenID Connect                                |
| `encrypted_settings_key_base`    | The base key to encrypt settings files with                       |

## Where the secrets are stored

|Installation type                  |Location                                                          |
|---                                |---                                                               |
|Omnibus                            |[`/etc/gitlab/gitlab-secrets.json`](https://docs.gitlab.com/omnibus/settings/backups.html#backup-and-restore-omnibus-gitlab-configuration)                                 |
|Cloud Native GitLab Charts         |[Kubernetes Secrets](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/f65c3d37fc8cf09a7987544680413552fb666aac/doc/installation/secrets.md#gitlab-rails-secret)|
|Source                             |`<path-to-gitlab-rails>/config/secrets.yml` (Automatically generated by [01_secret_token.rb](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/initializers/01_secret_token.rb))                       |

## Warning: Before you add a new secret to application secrets

Before you add a new secret to [`config/initializers/01_secret_token.rb`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/initializers/01_secret_token.rb),
make sure you also update Omnibus GitLab or updates fail. Omnibus is responsible for writing the `secrets.yml` file.
If Omnibus doesn't know about a secret, Rails attempts to write to the file, but this fails because Rails doesn't have write access.
The same rules apply to Cloud Native GitLab charts, you must update the charts at first.
In case you need the secret to have same value on each node (which is usually the case) you need to make sure it's configured for all
GitLab.com environments prior to changing this file.

**Examples**

- [Change for source installation](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/27581)
- [Change for omnibus installation](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/3267)
- [Change for omnibus installation](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4158)
- [Change for Cloud Native installation](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1318)

## Further iteration

We may either deprecate or remove this automatic secret generation `01_secret_token.rb` in the future.
Please see [issue 222690](https://gitlab.com/gitlab-org/gitlab/-/issues/222690) for more information.
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`---`
			`stage: none`
			`group: unassigned`
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments`
New upstream version 13.6.5 2021-01-29 00:20:46 +05:30			`---`

New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`# Application secrets`

			`This page is a development guide for application secrets.`

			`## Secret entries`

			`\|Entry \|Description \|`
			`\|--- \|--- \|`
			\|`secret_key_base` \| The base key to be used for generating a various secrets \|
			\| `otp_key_base` \| The base key for One Time Passwords, described in [User management](../raketasks/user_management.md#rotate-two-factor-authentication-encryption-key) \|
			\|`db_key_base` \| The base key to encrypt the data for `attr_encrypted` columns \|
New upstream version 13.11.2+ds1 2021-04-29 21:17:54 +05:30			\|`openid_connect_signing_key` \| The signing key for OpenID Connect \|
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			\| `encrypted_settings_key_base` \| The base key to encrypt settings files with \|
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30
			`## Where the secrets are stored`

			`\|Installation type \|Location \|`
			`\|--- \|--- \|`
			\|Omnibus \|[`/etc/gitlab/gitlab-secrets.json`](https://docs.gitlab.com/omnibus/settings/backups.html#backup-and-restore-omnibus-gitlab-configuration) \|
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			`\|Cloud Native GitLab Charts \|[Kubernetes Secrets](https://gitlab.com/gitlab-org/charts/gitlab/-/blob/f65c3d37fc8cf09a7987544680413552fb666aac/doc/installation/secrets.md#gitlab-rails-secret)\|`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			\|Source \|`<path-to-gitlab-rails>/config/secrets.yml` (Automatically generated by [01_secret_token.rb](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/initializers/01_secret_token.rb)) \|

			`## Warning: Before you add a new secret to application secrets`

			Before you add a new secret to [`config/initializers/01_secret_token.rb`](https://gitlab.com/gitlab-org/gitlab/-/blob/master/config/initializers/01_secret_token.rb),
New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			make sure you also update Omnibus GitLab or updates fail. Omnibus is responsible for writing the `secrets.yml` file.
			`If Omnibus doesn't know about a secret, Rails attempts to write to the file, but this fails because Rails doesn't have write access.`
New upstream version 13.2.1 2020-07-28 23:09:34 +05:30			`The same rules apply to Cloud Native GitLab charts, you must update the charts at first.`
			`In case you need the secret to have same value on each node (which is usually the case) you need to make sure it's configured for all`
			`GitLab.com environments prior to changing this file.`

			`Examples`

			`- [Change for source installation](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/27581)`
			`- [Change for omnibus installation](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/3267)`
			`- [Change for omnibus installation](https://gitlab.com/gitlab-org/omnibus-gitlab/-/merge_requests/4158)`
			`- [Change for Cloud Native installation](https://gitlab.com/gitlab-org/charts/gitlab/-/merge_requests/1318)`

			`## Further iteration`

New upstream version 13.7.7 2021-02-22 17:27:13 +05:30			We may either deprecate or remove this automatic secret generation `01_secret_token.rb` in the future.
			`Please see [issue 222690](https://gitlab.com/gitlab-org/gitlab/-/issues/222690) for more information.`