Metabase stores connection information for the various databases you add in the Metabase application database. To prevent bad actors from being able to access these details if they were to gain access to the application DB, Metabase can automatically encrypt them with AES256 + SHA512 when they are saved, and decrypt them on-the-fly whenever they are needed.
Take care not to lose this key because you can’t decrypt connection details without it. If you lose (or change) the key, you’ll have to reset all of the connection details that have been encrypted with it in the Admin Panel.
opensslto generate a cryptographically-secure, randomly-generated 32-character key.
openssl rand -base64 32
MB_ENCRYPTION_SECRET_KEY="IYqrSi5QDthvFWe4/WdAxhnra5DZC3RKx3ZSrOJDKsM=" java -jar metabase.jar
Once you set the
MB_ENCRYPTION_SECRET_KEY value, Metabase will securely encrypt and store the connection details for each new database that you add.
Some versions of Linux interpret single-quotes (
') and double-quotes (
") differently for environment variable values. If you upgrade to a newer version of Linux, and the key originally used single-quotes, you might need to wrap the key in double-quotes, so that the single-quotes are interpreted literally. For example,
If you added databases before setting the
MB_ENCRYPTION_SECRET_KEY value, you can encrypt the connection details by going to each one of those databases in Admin settings > Databases and clicking on the Save button. Existing databases with unencrypted details will continue to work normally.
MB_ENCRYPTION_SECRET_KEY=your-current-key java -jar metabase.jar rotate-encryption-key new-key
To disable an encryption key, follow the steps to rotate an encryption key, but use an empty string (
"") as the new key.
MB_ENCRYPTION_SECRET_KEY="your-current-key" java -jar metabase.jar rotate-encryption-key ""