docs-archive/apache-airflow/1.10.14/_sources/howto/secure-connections.rst.txt - airflow-site - Git at Google

  .. Licensed to the Apache Software Foundation (ASF) under one
     or more contributor license agreements.  See the NOTICE file
     distributed with this work for additional information
     regarding copyright ownership.  The ASF licenses this file
     to you under the Apache License, Version 2.0 (the
     "License"); you may not use this file except in compliance
     with the License.  You may obtain a copy of the License at

  ..   http://www.apache.org/licenses/LICENSE-2.0

  .. Unless required by applicable law or agreed to in writing,
     software distributed under the License is distributed on an
     "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
     KIND, either express or implied.  See the License for the
     specific language governing permissions and limitations
     under the License.


 Securing Connections
 ====================

 By default, Airflow will save the passwords for the connection in plain text
 within the metadata database. The ``crypto`` package is highly recommended
 during installation. The ``crypto`` package does require that your operating
 system has ``libffi-dev`` installed.

 If ``crypto`` package was not installed initially, it means that your Fernet key in ``airflow.cfg`` is empty.

 You can still enable encryption for passwords within connections by following below steps:

 #. Install crypto package ``pip install 'apache-airflow[crypto]'``
 #. Generate fernet_key, using this code snippet below. ``fernet_key`` must be a base64-encoded 32-byte key:

     .. code-block:: python

       from cryptography.fernet import Fernet
       fernet_key= Fernet.generate_key()
       print(fernet_key.decode()) # your fernet_key, keep it in secured place!

 #. Replace ``airflow.cfg`` fernet_key value with the one from ``Step 2``. *Alternatively,* you can store your ``fernet_key`` in OS environment variable - You do not need to change ``airflow.cfg`` in this case as Airflow will use environment variable over the value in ``airflow.cfg``:

     .. code-block:: bash

       # Note the double underscores
       export AIRFLOW__CORE__FERNET_KEY=your_fernet_key

 #. Restart the webserver
 #. For existing connections (the ones that you had defined before installing ``airflow[crypto]`` and creating a Fernet key), you need to open each connection in the connection admin UI, re-type the password, and save the change

 Rotating encryption keys
 ========================

 Once connection credentials and variables have been encrypted using a fernet
 key, changing the key will cause decryption of existing credentials to fail. To
 rotate the fernet key without invalidating existing encrypted values, prepend
 the new key to the ``fernet_key`` setting, run
 ``airflow rotate_fernet_key``, and then drop the original key from
 ``fernet_keys``:

 #. Set ``fernet_key`` to ``new_fernet_key,old_fernet_key``
 #. Run ``airflow rotate_fernet_key`` to re-encrypt existing credentials with the new fernet key
 #. Set ``fernet_key`` to ``new_fernet_key``
	.. Licensed to the Apache Software Foundation (ASF) under one
	or more contributor license agreements. See the NOTICE file
	distributed with this work for additional information
	regarding copyright ownership. The ASF licenses this file
	to you under the Apache License, Version 2.0 (the
	"License"); you may not use this file except in compliance
	with the License. You may obtain a copy of the License at

	.. http://www.apache.org/licenses/LICENSE-2.0

	.. Unless required by applicable law or agreed to in writing,
	software distributed under the License is distributed on an
	"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	KIND, either express or implied. See the License for the
	specific language governing permissions and limitations
	under the License.



	Securing Connections
	====================

	By default, Airflow will save the passwords for the connection in plain text
	within the metadata database. The ``crypto`` package is highly recommended
	during installation. The ``crypto`` package does require that your operating
	system has ``libffi-dev`` installed.

	If ``crypto`` package was not installed initially, it means that your Fernet key in ``airflow.cfg`` is empty.

	You can still enable encryption for passwords within connections by following below steps:

	#. Install crypto package ``pip install 'apache-airflow[crypto]'``
	#. Generate fernet_key, using this code snippet below. ``fernet_key`` must be a base64-encoded 32-byte key:

	.. code-block:: python

	from cryptography.fernet import Fernet
	fernet_key= Fernet.generate_key()
	print(fernet_key.decode()) # your fernet_key, keep it in secured place!

	#. Replace ``airflow.cfg`` fernet_key value with the one from ``Step 2``. Alternatively, you can store your ``fernet_key`` in OS environment variable - You do not need to change ``airflow.cfg`` in this case as Airflow will use environment variable over the value in ``airflow.cfg``:

	.. code-block:: bash

	# Note the double underscores
	export AIRFLOW__CORE__FERNET_KEY=your_fernet_key

	#. Restart the webserver
	#. For existing connections (the ones that you had defined before installing ``airflow[crypto]`` and creating a Fernet key), you need to open each connection in the connection admin UI, re-type the password, and save the change

	Rotating encryption keys
	========================

	Once connection credentials and variables have been encrypted using a fernet
	key, changing the key will cause decryption of existing credentials to fail. To
	rotate the fernet key without invalidating existing encrypted values, prepend
	the new key to the ``fernet_key`` setting, run
	``airflow rotate_fernet_key``, and then drop the original key from
	``fernet_keys``:

	#. Set ``fernet_key`` to ``new_fernet_key,old_fernet_key``
	#. Run ``airflow rotate_fernet_key`` to re-encrypt existing credentials with the new fernet key
	#. Set ``fernet_key`` to ``new_fernet_key``