Rotate encryption key and JWT secrets

Self Hosted Retool
1

I just wonder if there are any way to rotate an encryption key or JWT secret?

We started fast and dirty and have had the secrets exposed in a private repo. But want to rotate now that its becoming more serious.

Are there any possibility to do so?

2

Hey @snorreentur!

  1. JWT Secret: You can change this at any time without issue. The only effect should be that users with current Retool sessions will be logged out and must log in again.

  2. Encryption Key: This one is more complicated. Once the key is switched, any encrypted values that are in the DB will no longer be able to be read. This generally manifests itself as the Resources page being empty despite resources existing on the instance. There are 2 different approaches to swapping out the encryption key.

    A) Remove the encrypted values from the db. All encrypted values in the db are prepended with __RETOOL_ENCRYPTED__. They are generally found in the Resources table in the databasePassword and options columns. Though if you are using Workflows, there will be some there as well.
    Options:

    Screenshot 2023-11-14 at 8.19.10 AM
    Screenshot 2023-11-14 at 8.19.10 AM1186×82 6.8 KB

    Password:
    Screenshot 2023-11-14 at 8.19.19 AM
    Screenshot 2023-11-14 at 8.19.19 AM696×202 9.52 KB

Setting these values to NULL will allow you to see all your resources in the UI when the key is swapped. The previously encrypted (now NULL) fields will be blank and you must replace the credentials in order for the resources to work again. The values will be encrypted with the new key and saved in the db.

B) Essentially start over with your resources. If you haven't created too many resources, or recreating them seems easier than performing db surgery and replacing the values once the new key is installed, then this is the option for you. You can delete all the resources (or only resources with encrypted values in the db), and simply recreate them after the key is swapped.

Bot processes are fairly manual, though we also have an internal ticket for supporting this in a more native, automated way. I've linked this post to that ticket and can update this thread as I get any additional information on it's status.

3

Thanks for the detailed response and great insight! Will have a look at it soon!