Skip to content

Feature: access_key_encryption rotation #3685

New issue
New issue
Open
Open
Feature: access_key_encryption rotation#3685
Labels
feature
@maledb404

Description

@maledb404
maledb404
opened on Mar 5, 2026

Related to

Database

Impact

must have for enterprise usage

Missing Feature

Hi,

the doc explain how to enable encryption. https://semaphoreui.com/docs/admin-guide/security#data-encryption

Data encryption

Sensitive data is stored in the database, in an encrypted form. You should set the configuration option access_key_encryption in configuration file to enable Access Keys encryption. It must be generated by command:

head -c32 /dev/urandom | base64

@fiftin May you explain how can we rotate this access_key_encryption please.

We saw this code but it's commented

semaphore/services/server/access_key_encryption_svc.go

Lines 179 to 216 in cded9d0

func (s *accessKeyEncryptionServiceImpl) RekeyAccessKeys(oldKey string) (err error) {
//var globalProps = db.AccessKeyProps
//globalProps.IsGlobal = true
//
//for i := 0; ; i++ {
//
// var keys []db.AccessKey
// err = d.getObjects(-1, globalProps, db.RetrieveQueryParams{Count: RekeyBatchSize, Offset: i * RekeyBatchSize}, nil, &keys)
//
// if err != nil {
// return
// }
//
// if len(keys) == 0 {
// break
// }
//
// for _, key := range keys {
//
// err = s.DeserializeSecret(oldKey)
// err = key.DeserializeSecret2(oldKey)
//
// if err != nil {
// return err
// }
//
// key.OverrideSecret = true
// err = s.accessKeyRepo.UpdateAccessKey(key)
//
// if err != nil && !errors.Is(err, db.ErrNotFound) {
// return err
// }
// }
//}
return
}

Implementation

up to you

Design

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions