Allow setting ActiveRecord encryption secrets

kkimurak · kkimurak · commit ac47124a0dd4 · 2025-06-17T18:53:25.000+09:00
Add environment variable to set entry in secrets.yml related to active record encryption - active_record_encryption_primary_key (can be multiple) - active_record_encryption_deterministic_key (can be multiple) - active_record_encryption_key_derivation_salt Reference for '32 characters length' recommendation: https://gitlab.com/gitlab-org/gitlab/-/blob/v18.0.0-ee/config/initializers/2_secret_token.rb#L78-80 TODO: fix command line usage in documentation
diff --git a/README.md b/README.md
@@ -159,6 +159,8 @@ Generate random strings that are at least `64` characters long for each of `GITL
 
 > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`.
 
+Also generate random strings that are typically `32` characters long for each of `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`, `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. These values are used for `ActiveRecord::Encryption` encrypted columns.
+
 Start GitLab using:
 
 ```bash
@@ -188,6 +190,8 @@ docker run --name gitlab-redis -d \
 
 Step 3. Launch the gitlab container
 
+TODO: fix and verify command line option to set newly created keys (especially primary_key and deterministic_key : they must be an array)
+
 ```bash
 docker run --name gitlab -d \
     --link gitlab-postgresql:postgresql --link gitlab-redis:redisio \
@@ -197,6 +201,9 @@ docker run --name gitlab -d \
     --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \
     --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \
     --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \
+    --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=long-and-random-alpha-numeric-string' \
+    --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=long-and-random-alpha-numeric-string' \
+    --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
     sameersbn/gitlab:18.0.2
 ```
@@ -923,6 +930,26 @@ Encryption key for session secrets. Ensure that your key is at least 64 characte
 
  Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults.
 
+##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`
+
+The base key to non-deterministically-encrypt data for `ActiveRecord::Encryption` encrypted columns. It can be used to set value for `active_record_encryption_primary_key` in config/secrets.yml.  
+Ensure that your key is alphanumeric string. Preferred to be 32 characters long.  
+If you need to set multiple keys, set this parameter like `["thisisfirstprimarykey","thisissecondprimarykey"]` for example. In docker-compose.yml, you have to quote whole value.  
+No defaults.
+
+##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`
+
+The base key to deterministically-encrypt data for `ActiveRecord::Encryption` encrypted columns. It can be used to set value for `active_record_encryption_deterministic_key` in config/secrets.yml.  
+Ensure that your key is alphanumeric string. Preferred to be 32 characters long.  
+If you need to set multiple keys, set this parameter like `["thisisfirstprimarykey","thisissecondprimarykey"]` for example. In docker-compose.yml, you have to quote whole value.  
+No defaults.
+
+##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`
+
+The derivation salt to encrypt data for ActiveRecord::Encryption encrypted columns. It can be used to set value for `active_record_encryption_key_derivation_salt` in config/secrets.yml.  
+Ensure that your key is alphanumeric string. Preferred to be 32 characters long.  
+No defaults.
+
 ##### `GITLAB_TIMEZONE`
 
 Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will affect cron, see variable `TZ`
@@ -2771,6 +2798,7 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are
 > **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image.
 > **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.
 > **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image.  If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`.
+> **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml` and result to unusable stage of some features such as dependency proxy.
 
 ```bash
 docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.0.2
diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml
@@ -7,6 +7,9 @@ production:
   secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}}
   otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}}
   encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}}
+  active_record_encryption_primary_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY}}
+  active_record_encryption_deterministic_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}}
+  active_record_encryption_key_derivation_salt: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT}}
 
 development:
   db_key_base: development
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
@@ -251,10 +251,15 @@ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_UPLOADS
 GITLAB_MATTERMOST_ENABLED=${GITLAB_MATTERMOST_ENABLED:-false}
 GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com}
 
+# secrets
 GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-}
 GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-}
 GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-}
 GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-}
+GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY:-}
+GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY:-}
+GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT:-}
+
 GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true}
 GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}
 
diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -888,7 +888,10 @@ gitlab_configure_secrets() {
   GITLAB_SECRETS_DB_KEY_BASE \
   GITLAB_SECRETS_SECRET_KEY_BASE \
   GITLAB_SECRETS_OTP_KEY_BASE \
-  GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
+  GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \
+  GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \
+  GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \
+  GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
 
   local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
   if [[ ! -f "${shell_secret}" ]]; then
diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml
@@ -60,6 +60,9 @@ services:
       - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string
 
       - GITLAB_ROOT_PASSWORD=
       - GITLAB_ROOT_EMAIL=
diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml
@@ -123,6 +123,9 @@ services:
       - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string
 
       - GITLAB_ROOT_PASSWORD=
       - GITLAB_ROOT_EMAIL=
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -62,6 +62,9 @@ services:
       - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string
 
       - GITLAB_ROOT_PASSWORD=
       - GITLAB_ROOT_EMAIL=
diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml
@@ -29,6 +29,12 @@ spec:
           value: long-and-random-alpha-numeric-string
         - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
           value: long-and-random-alpha-numeric-string
+        - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+          value: '[long-and-random-alpha-numeric-string]'
+        - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+          value: '[long-and-random-alpha-numeric-string]'
+        - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+          value: long-and-random-alpha-numeric-string
 
         - name: GITLAB_ROOT_PASSWORD
           value:
