Securing Connections¶
By default, Airflow will save the passwords for the connection in plain text
within the metadata database. The crypto
package is highly recommended
during installation. The crypto
package does require that your operating
system has libffi-dev
installed.
If crypto
package was not installed initially, it means that your Fernet key in airflow.cfg
is empty.
You can still enable encryption for passwords within connections by following below steps:
Install crypto package
pip install 'apache-airflow[crypto]'
Generate fernet_key, using this code snippet below.
fernet_key
must be a base64-encoded 32-byte key:from cryptography.fernet import Fernet fernet_key= Fernet.generate_key() print(fernet_key.decode()) # your fernet_key, keep it in secured place!
Replace
airflow.cfg
fernet_key value with the one from Step 2. Alternatively, you can store your fernet_key in OS environment variable - You do not need to changeairflow.cfg
in this case as Airflow will use environment variable over the value inairflow.cfg
:# Note the double underscores export AIRFLOW__CORE__FERNET_KEY=your_fernet_key
Restart the webserver
For existing connections (the ones that you had defined before installing
airflow[crypto]
and creating a Fernet key), you need to open each connection in the connection admin UI, re-type the password, and save the change
Rotating encryption keys¶
Once connection credentials and variables have been encrypted using a fernet
key, changing the key will cause decryption of existing credentials to fail. To
rotate the fernet key without invalidating existing encrypted values, prepend
the new key to the fernet_key
setting, run
airflow rotate_fernet_key
, and then drop the original key from
fernet_keys
:
Set
fernet_key
tonew_fernet_key,old_fernet_key
Run
airflow rotate_fernet_key
to re-encrypt existing credentials with the new fernet keySet
fernet_key
tonew_fernet_key