How to update db_key_base

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

When we want to encrypt and save a field, there is such a very useful method:

Gitlab::CryptoHelper.aes256_gcm_encrypt

I found that one of its default parameters is dependent on: Gitlab::Application.secrets.db_key_base.

Case one

When the client redeploys a new GitLab instance (regenerates a different db_key_base), and wants to migrate the previous data over.

In this case, the decryption will not work.

Case two

We have discovered a potential leakage risk and need to use a new db_key_base.

Do we have documentation in this area to provide guidance?

Thanks!