Metabase stores connection information for the various databases you add in the Metabase application database. To prevent bad actors from being able to access these details if they were to gain access to
the application DB, Metabase can automatically encrypt them when they are saved, and decrypt them on-the-fly whenever they are needed. The only thing you need to do is set the environment variable
Your secret key must be at — version: v0.40 has_magic_breadcrumbs: true show_category_breadcrumb: true show_title_breadcrumb: true category: ‘Operations Guide’ title: ‘Encrypting Database Details at Rest’ source_url: ‘https://github.com/metabase/metabase/blob/master/docs/operations-guide/encrypting-database-details-at-rest.md’ —
least 16 characters (longer is even better!), and we recommend using a secure random key generator to generate it.
openssl is a good choice:
openssl rand -base64 32
This gives you a cryptographically-secure, randomly-generated 32-character key that will look something like
IYqrSi5QDthvFWe4/WdAxhnra5DZC3RKx3ZSrOJDKsM=. Set it as an environment variable and
start Metabase as usual:
MB_ENCRYPTION_SECRET_KEY="IYqrSi5QDthvFWe4/WdAxhnra5DZC3RKx3ZSrOJDKsM=" java -jar metabase.jar
Note Some versions of Linux interpret single-quotes (
') and double-quotes (
") differently for environment variable values, so if you upgrade to a newer version of Linux, and the key originally used single-quotes, you might need to wrap the key in double-quotes, so that the single-quotes are interpreted literally. For example,
MB_ENCRYPTION_SECRET_KEY='IYq...sM=' would be
Metabase will securely encrypt and store the connection details for any new Databases you add. (Connection details for existing databases will be encrypted as well if you save them in the admin panel). Existing databases with unencrypted details will continue to work normally.
Take care not to lose this key because you can’t decrypt connection details without it. If you lose (or change) the key, you’ll have to reset all of the connection details that have been encrypted with it in the Admin Panel.
You can rotate the encryption key using the cli command
rotate-encryption-key. This command needs both the current encryption key set as
MB_ENCRYPTION_SECRET_KEY and the new encryption key as a parameter.
MB_ENCRYPTION_SECRET_KEY=your-current-key java -jar metabase.jar rotate-encryption-key new-key
Metabase app should be stopped while running this command, and restarted with the new key as the
MB_ENCRYPTION_SECRET_KEY environment variable.
Note: As with all data migrations, it’s recommended that you backup your data before doing a key rotation.