Merge pull request sameersbn#3121 from kkimurak/issue/3112-add-active-record-secrets

sachilles · web-flow · commit ea284f1ea78f · 2025-06-19T19:45:57.000+02:00
Allow setting ActiveRecord encryption secrets
diff --git a/README.md b/README.md
@@ -159,6 +159,14 @@ Generate random strings that are at least `64` characters long for each of `GITL
 
 > **Tip**: You can generate a random string using `pwgen -Bsv1 64` and assign it as the value of `GITLAB_SECRETS_DB_KEY_BASE`.
 
+Also generate random strings that are typically `32` characters long for each of:
+
+- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`
+- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`
+- `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`
+
+These values are used for `ActiveRecord::Encryption` encrypted columns. Details can be found under [Active Record Encryption](https://guides.rubyonrails.org/active_record_encryption.html).
+
 Start GitLab using:
 
 ```bash
@@ -197,6 +205,9 @@ docker run --name gitlab -d \
     --env 'GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alpha-numeric-string' \
     --env 'GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alpha-numeric-string' \
     --env 'GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alpha-numeric-string' \
+    --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alpha-numeric-string"]' \
+    --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alpha-numeric-string"]' \
+    --env 'GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alpha-numeric-string' \
     --volume /srv/docker/gitlab/gitlab:/home/git/data \
     sameersbn/gitlab:18.0.2
 ```
@@ -923,6 +934,18 @@ Encryption key for session secrets. Ensure that your key is at least 64 characte
 
  Encryption key for encrypted settings related stuff with GitLab. Ensure that your key is at least 64 characters long and that you don't lose it. **If you lose or change this secret, encrypted settings will not work and might cause errors in merge requests and so on** You can generate one using `pwgen -Bsv1 64`. No defaults.
 
+##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`
+
+The base key used to encrypt data for non-deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_primary_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `["first_primary_key","second_primary_key"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.
+
+##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY`
+
+The base key used to encrypt data for deterministic `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_deterministic_key` in `config/secrets.yml`. Ensure that your key is an alphanumeric string. Preferred to be 32 characters long. If you need to set multiple keys, set this parameter in the format `["first_deterministic_key","second_deterministic_key"]`. In `docker-compose.yml`, the value must NOT have additional quotes! **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.
+
+##### `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`
+
+The salt used to encrypt data for `ActiveRecord::Encryption` encrypted columns. This value is used to set `active_record_encryption_key_derivation_salt` in `config/secrets.yml`. Ensure that your salt is an alphanumeric string. Preferred to be 32 characters long. **If you lose or change this secret, encrypted settings will not work and might cause errors in the API and the web interface.** No defaults.
+
 ##### `GITLAB_TIMEZONE`
 
 Configure the timezone for the gitlab application. This configuration does not effect cron jobs. Defaults to `UTC`. See the list of [acceptable values](http://api.rubyonrails.org/classes/ActiveSupport/TimeZone.html). For settings the container timezone which will affect cron, see variable `TZ`
@@ -2769,9 +2792,13 @@ Replace `x.x.x` with the version you are upgrading from. For example, if you are
 - **Step 4**: Start the image
 
 > **Note**: Since GitLab `8.0.0` you need to provide the `GITLAB_SECRETS_DB_KEY_BASE` parameter while starting the image.
+
 > **Note**: Since GitLab `8.11.0` you need to provide the `GITLAB_SECRETS_SECRET_KEY_BASE` and `GITLAB_SECRETS_OTP_KEY_BASE` parameters while starting the image. These should initially both have the same value as the contents of the `/home/git/data/.secret` file. See [Available Configuration Parameters](#available-configuration-parameters) for more information on these parameters.
+
 > **Note**: Since Gitlab 13.7 you need to provide the `GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE` parameter while starting the image.  If not provided, the key will be generated by gitlab. So you can start the image without setting this parameter. But you will lose the key when you shutting down the container without taking a backup of `secrets.yml`.
 
+> **Note**: Since Gitlab 17.8 you need to provide `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY`,`GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY` and `GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT`. If not provided, these keys will be generated by gitlab. The image can be started without setting these parameters, **but you will lose the settings when you shutting down the container without taking a backup of `secrets.yml` and settings stored securely (such as the Dependency Proxy) will be unusable and unrecoverable.**
+
 ```bash
 docker run --name gitlab -d [OPTIONS] sameersbn/gitlab:18.0.2
 ```
diff --git a/assets/runtime/config/gitlabhq/secrets.yml b/assets/runtime/config/gitlabhq/secrets.yml
@@ -7,6 +7,9 @@ production:
   secret_key_base: {{GITLAB_SECRETS_SECRET_KEY_BASE}}
   otp_key_base: {{GITLAB_SECRETS_OTP_KEY_BASE}}
   encrypted_settings_key_base: {{GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE}}
+  active_record_encryption_primary_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY}}
+  active_record_encryption_deterministic_key: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY}}
+  active_record_encryption_key_derivation_salt: {{GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT}}
 
 development:
   db_key_base: development
diff --git a/assets/runtime/env-defaults b/assets/runtime/env-defaults
@@ -251,10 +251,15 @@ GITLAB_UPLOADS_OBJECT_STORE_CONNECTION_GOOGLE_JSON_KEY_LOCATION=${GITLAB_UPLOADS
 GITLAB_MATTERMOST_ENABLED=${GITLAB_MATTERMOST_ENABLED:-false}
 GITLAB_MATTERMOST_URL=${GITLAB_MATTERMOST_URL:-https://mattermost.example.com}
 
+# secrets
 GITLAB_SECRETS_DB_KEY_BASE=${GITLAB_SECRETS_DB_KEY_BASE:-}
 GITLAB_SECRETS_SECRET_KEY_BASE=${GITLAB_SECRETS_SECRET_KEY_BASE:-}
 GITLAB_SECRETS_OTP_KEY_BASE=${GITLAB_SECRETS_OTP_KEY_BASE:-}
 GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=${GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE:-}
+GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY:-}
+GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY:-}
+GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=${GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT:-}
+
 GITLAB_NOTIFY_ON_BROKEN_BUILDS=${GITLAB_NOTIFY_ON_BROKEN_BUILDS:-true}
 GITLAB_NOTIFY_PUSHER=${GITLAB_NOTIFY_PUSHER:-false}
 
diff --git a/assets/runtime/functions b/assets/runtime/functions
@@ -888,7 +888,10 @@ gitlab_configure_secrets() {
   GITLAB_SECRETS_DB_KEY_BASE \
   GITLAB_SECRETS_SECRET_KEY_BASE \
   GITLAB_SECRETS_OTP_KEY_BASE \
-  GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
+  GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE \
+  GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY \
+  GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY \
+  GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
 
   local shell_secret="${GITLAB_INSTALL_DIR}/.gitlab_shell_secret"
   if [[ ! -f "${shell_secret}" ]]; then
diff --git a/contrib/docker-swarm/docker-compose.yml b/contrib/docker-swarm/docker-compose.yml
@@ -60,6 +60,9 @@ services:
       - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string
 
       - GITLAB_ROOT_PASSWORD=
       - GITLAB_ROOT_EMAIL=
diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml
@@ -123,6 +123,9 @@ services:
       - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE=long-and-random-alphanumeric-string
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string
 
       - GITLAB_ROOT_PASSWORD=
       - GITLAB_ROOT_EMAIL=
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -62,6 +62,9 @@ services:
       - GITLAB_SECRETS_DB_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_SECRET_KEY_BASE=long-and-random-alphanumeric-string
       - GITLAB_SECRETS_OTP_KEY_BASE=long-and-random-alphanumeric-string
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY=["long-and-random-alphanumeric-string"]
+      - GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT=long-and-random-alphanumeric-string
 
       - GITLAB_ROOT_PASSWORD=
       - GITLAB_ROOT_EMAIL=
diff --git a/kubernetes/gitlab-rc.yml b/kubernetes/gitlab-rc.yml
@@ -29,6 +29,12 @@ spec:
           value: long-and-random-alpha-numeric-string
         - name: GITLAB_SECRETS_ENCRYPTED_SETTINGS_KEY_BASE
           value: long-and-random-alpha-numeric-string
+        - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY
+          value: '[long-and-random-alpha-numeric-string]'
+        - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY
+          value: '[long-and-random-alpha-numeric-string]'
+        - name: GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT
+          value: long-and-random-alpha-numeric-string
 
         - name: GITLAB_ROOT_PASSWORD
           value:
