Application secrets

This page is a development guide for application secrets.

Secret entries

Entry Description
secret_key_base The base key to be used for generating a various secrets
otp_key_base The base key for One Time Passwords, described in User management
db_key_base The base key to encrypt the data for attr_encrypted columns
openid_connect_signing_key The signing key for OpenID Connect
encrypted_settings_key_base The base key to encrypt settings files with
ci_jwt_signing_key The base key for encrypting the CI_JOB_JWT and CI_JOB_JWT_V2 predefined CI/CD variables. CI_JOB_JWT and CI_JOB_JWT_V2 were deprecated in GitLab 15.9 and are scheduled to be removed in GitLab 17.0.

Where the secrets are stored

Installation type Location
Linux package /etc/gitlab/gitlab-secrets.json
Cloud Native GitLab Charts Kubernetes Secrets
Self-compiled <path-to-gitlab-rails>/config/secrets.yml (Automatically generated by 01_secret_token.rb)

Warning: Before you add a new secret to application secrets

Before you add a new secret to config/initializers/01_secret_token.rb, make sure you also update Omnibus GitLab or updates fail. Omnibus is responsible for writing the secrets.yml file. If Omnibus doesn’t know about a secret, Rails attempts to write to the file, but this fails because Rails doesn’t have write access. The same rules apply to Cloud Native GitLab charts, you must update the charts at first. In case you need the secret to have same value on each node (which is usually the case) you need to make sure it’s configured for all environments prior to changing this file.


Further iteration

We may either deprecate or remove this automatic secret generation 01_secret_token.rb in the future. See issue 222690 for more information.