Encrypted Configuration

Introduced in GitLab 13.7.

GitLab can read settings for certain features from encrypted settings files. The supported features are:

In order to enable the encrypted configuration settings, a new base key needs to be generated for encrypted_settings_key_base. The secret can be generated in the following ways:

Omnibus Installation

Starting with 13.7 the new secret is automatically generated for you, but you will need to ensure your /etc/gitlab/gitlab-secrets.json contains the same values on all nodes.

GitLab Cloud Native Helm Chart

Starting with GitLab 13.7, the new secret is automatically generated if you have the shared-secrets chart enabled. Otherwise, you need to follow the secrets guide for adding the secret.

Source Installation

The new secret can be generated by running:

bundle exec rake gitlab:env:info RAILS_ENV=production GITLAB_GENERATE_ENCRYPTED_SETTINGS_KEY_BASE=true

This will print general information on the GitLab instance, but will also cause the key to be generated in <path-to-gitlab-rails>/config/secrets.yml