Airflow uses Fernet to encrypt passwords in the connection configuration and the variable configuration. It guarantees that a password encrypted using it cannot be manipulated or read without the key. Fernet is an implementation of symmetric (also known as “secret key”) authenticated cryptography.
The first time Airflow is started, the
airflow.cfg file is generated with the default configuration and the unique Fernet
key. The key is saved to option
fernet_key of section
You can also configure a fernet key using environment variables. This will overwrite the value from the
# Note the double underscores export AIRFLOW__CORE__FERNET_KEY=your_fernet_key
Generating Fernet key¶
If you need to generate a new fernet key you can use the following code snippet.
from cryptography.fernet import Fernet fernet_key = Fernet.generate_key() print(fernet_key.decode()) # your fernet_key, keep it in secured place!
Rotating encryption keys¶
Once connection credentials and variables have been encrypted using a fernet
key, changing the key will cause decryption of existing credentials to fail. To
rotate the fernet key without invalidating existing encrypted values, prepend
the new key to the
fernet_key setting, run
airflow rotate-fernet-key, and then drop the original key from
airflow rotate-fernet-keyto re-encrypt existing credentials with the new fernet key