The Encryption Password is used to protect the vault unseal key and root token when the internal Vault is used. It allows us to store those details in PostgreSQL, which means that Vault is only dependent on the encryption password itself and details in PostgreSQL.
Occasionally, customers may seek to rotate this password in order to fit their organizational requirements. This document outlines how to safely rotate the password to ensure that the application is able to successfully start.
In order to update the encryption password, the Terraform Enterprise application must be currently running. Once you’ve verified that the application is running, the following steps may be used to update the encryption password.
- Navigate to the installer dashboard at
- Click on “Settings” at the top of the page
- Enter a new value for the encryption password
- Click “Save” at the bottom of the page
- Restart the application
To verify that the encryption password has been updated to the new value, connect to the instance using SSH and run the following command. The command will output the entirety of the Replicated configuration, which contains the encryption password as the value of the
> replicatedctl app-config export
To show only the encryption password, the
jq utility can be used as follows:
> replicatedctl app-config export | jq '.enc_password'