Introduction
Terraform Enterprise’s encryption password is used to protect the Vault unseal key and root token when the internal (default) Vault is used. It allows Terraform Enterprise to store these values in the configured PostgreSQL database, which means that Vault is only dependent on the encryption password itself and details in the database.
Use Case
Occasionally, Terraform Enterprise administrators may seek to rotate this password in order to fit their organizational requirements. This document outlines how to safely rotate the password to ensure that the application is able to successfully start.
Procedure
In order to update the encryption password, the Terraform Enterprise application must be currently running. Once you’ve verified that the application is running, the following steps may be used to update the encryption password.
- Navigate to the installer dashboard at
https://TFE_HOSTNAME:8800
- Click on Settings at the top of the page
- Enter a new value for the encryption password
- Click Save at the bottom of the page
- Restart the application
Additional Information
To verify that the encryption password has been updated to the new value, connect to the instance using SSH and run the following command. The command will output the entirety of the Replicated configuration, which contains the encryption password as the value of the enc_password
object.
$ replicatedctl app-config export
To show only the encryption password, the jq
utility may be used as follows:
$ replicatedctl app-config export | jq '.enc_password'