New
Discover how Dropbox streamlined dev environments & cut costs by switching 1000 developers to Coder

Read the success story

Get a Demo
About
Architecture
Installation
Kubernetes
Docker
OpenShift
Offline deployments
External database
Uninstall
1-click install
Releases
Platforms
AWS
Azure
Docker
GCP
Kubernetes
Additional clusters
Deployment logs
Other platforms
Templates
Working with templates
Your first template
Guided tour
Setting up templates
Change management
Provider authentication
Resource persistence
Terraform modules
Customizing templates
Agent metadata
Resource metadata
UI Resource Ordering
Parameters
Variables
Administering templates
General settings
Permissions
Workspace Scheduling
Open in Coder
Docker in workspaces
Dev Containers
Troubleshooting templates
Process Logging
Icons
Workspaces
IDEs
Web IDEs
JetBrains Gateway
Emacs
Remote Desktops
Networking
Port Forwarding
STUN and NAT
Dotfiles
Secrets
Administration
Authentication
Users
Groups
RBAC
Configuration
External Auth
Upgrading
Automation
Scaling Coder
Reference Architectures
Up to 1,000 users
Up to 2,000 users
Up to 3,000 users
External Provisioners
Workspace Proxies
Application Logs
Audit Logs
Quotas
High Availability
Prometheus
Appearance
Telemetry
Database Encryption
Deployment Health
Enterprise
Contributing
Code of Conduct
Feature stages
Documentation
Security
Frontend
API
General
Agents
Applications
Audit
Authentication
Authorization
Builds
Debug
Enterprise
Files
Git
Insights
Members
Organizations
PortSharing
Schemas
Templates
Users
WorkspaceProxies
Workspaces
Command Line
autoupdate
coder
config-ssh
create
delete
dotfiles
external-auth
external-auth access-token
favorite
features
features list
groups
groups create
groups delete
groups edit
groups list
licenses
licenses add
licenses delete
licenses list
list
login
logout
netcheck
open
open vscode
ping
port-forward
provisionerd
provisionerd start
publickey
rename
reset-password
restart
schedule
schedule override-stop
schedule show
schedule start
schedule stop
server
server create-admin-user
server dbcrypt
server dbcrypt decrypt
server dbcrypt delete
server dbcrypt rotate
server postgres-builtin-serve
server postgres-builtin-url
show
speedtest
ssh
start
stat
stat cpu
stat disk
stat mem
state
state pull
state push
stop
support
support bundle
templates
templates archive
templates create
templates delete
templates edit
templates init
templates list
templates pull
templates push
templates versions
templates versions archive
templates versions list
templates versions unarchive
tokens
tokens create
tokens list
tokens remove
unfavorite
update
users
users activate
users create
users delete
users list
users show
users suspend
version
Security
API tokens of deleted users not invalidated
FAQs
Guides
Generate a Support Bundle
Configuring Okta
Google to AWS Federation
JFrog Artifactory Integration
Template ImagePullSecrets
Postgres SSL
Azure Federation
Scanning Coder Workspaces with JFrog Xray
Home
/
Administration
/
Database Encryption

Database Encryption

Enterprise

Database Encryption

By default, Coder stores external user tokens in plaintext in the database. Database Encryption allows Coder administrators to encrypt these tokens at-rest, preventing attackers with database access from using them to impersonate users.

How it works

Coder allows administrators to specify external token encryption keys. If configured, Coder will use these keys to encrypt external user tokens before storing them in the database. The encryption algorithm used is AES-256-GCM with a 32-byte key length.

Coder will use the first key provided for both encryption and decryption. If additional keys are provided, Coder will use it for decryption only. This allows administrators to rotate encryption keys without invalidating existing tokens.

The following database fields are currently encrypted:

  • user_links.oauth_access_token
  • user_links.oauth_refresh_token
  • external_auth_links.oauth_access_token
  • external_auth_links.oauth_refresh_token

Additional database fields may be encrypted in the future.

Implementation notes: each encrypted database column $C has a corresponding $C_key_id column. This column is used to determine which encryption key was used to encrypt the data. This allows Coder to rotate encryption keys without invalidating existing tokens, and provides referential integrity for encrypted data.

The $C_key_id column stores the first 7 bytes of the SHA-256 hash of the encryption key used to encrypt the data.

Encryption keys in use are stored in dbcrypt_keys. This table stores a record of all encryption keys that have been used to encrypt data. Active keys have a null revoked_key_id column, and revoked keys have a non-null revoked_key_id column. You cannot revoke a key until you have rotated all values using that key to a new key.

Enabling encryption

NOTE: Enabling encryption does not encrypt all existing data. To encrypt existing data, see rotating keys below.

  • Ensure you have a valid backup of your database. Do not skip this step. If you are using the built-in PostgreSQL database, you can run coder server postgres-builtin-url to get the connection URL.

  • Generate a 32-byte random key and base64-encode it. For example:

dd if=/dev/urandom bs=32 count=1 | base64
  • Store this key in a secure location (for example, a Kubernetes secret):
kubectl create secret generic coder-external-token-encryption-keys --from-literal=keys=<key>
  • In your Coder configuration set CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS to a comma-separated list of base64-encoded keys. For example, in your Helm values.yaml:
coder:
  env:
    [...]
    - name: CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS
      valueFrom:
        secretKeyRef:
          name: coder-external-token-encryption-keys
          key: keys
  • Restart the Coder server. The server will now encrypt all new data with the provided key.

Rotating keys

We recommend only having one active encryption key at a time normally. However, if you need to rotate keys, you can perform the following procedure:

  • Ensure you have a valid backup of your database. Do not skip this step.

  • Generate a new encryption key following the same procedure as above.

  • Add the above key to the list of external token encryption keys. The new key must appear first in the list. For example, in the Kubernetes secret created above:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: coder-external-token-encryption-keys
  namespace: coder-namespace
data:
  keys: <new-key>,<old-key1>,<old-key2>,...

  • After updating the configuration, restart the Coder server. The server will now encrypt all new data with the new key, but will be able to decrypt tokens encrypted with the old key(s).

  • To re-encrypt all encrypted database fields with the new key, run coder server dbcrypt rotate. This command will re-encrypt all tokens with the specified new encryption key. We recommend performing this action during a maintenance window.

    Note: this command requires direct access to the database. If you are using the built-in PostgreSQL database, you can run coder server postgres-builtin-url to get the connection URL.

  • Once the above command completes successfully, remove the old encryption key from Coder's configuration and restart Coder once more. You can now safely delete the old key from your secret store.

Disabling encryption

To disable encryption, perform the following actions:

  • Ensure you have a valid backup of your database. Do not skip this step.

  • Stop all active coderd instances. This will prevent new encrypted data from being written, which may cause the next step to fail.

  • Run coder server dbcrypt decrypt. This command will decrypt all encrypted user tokens and revoke all active encryption keys.

    Note: for decrypt command, the equivalent environment variable for --keys is CODER_EXTERNAL_TOKEN_ENCRYPTION_DECRYPT_KEYS and not CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS. This is explicitly named differently to help prevent accidentally decrypting data.

  • Remove all external token encryption keys from Coder's configuration.

  • Start coderd. You can now safely delete the encryption keys from your secret store.

Deleting Encrypted Data

NOTE: This is a destructive operation.

To delete all encrypted data from your database, perform the following actions:

  • Ensure you have a valid backup of your database. Do not skip this step.

  • Stop all active coderd instances. This will prevent new encrypted data from being written.

  • Run coder server dbcrypt delete. This command will delete all encrypted user tokens and revoke all active encryption keys.

  • Remove all external token encryption keys from Coder's configuration.

  • Start coderd. You can now safely delete the encryption keys from your secret store.

Troubleshooting

  • If Coder detects that the data stored in the database was not encrypted with any known keys, it will refuse to start. If you are seeing this behaviour, ensure that the encryption keys provided are correct.
  • If Coder detects that the data stored in the database was encrypted with a key that is no longer active, it will refuse to start. If you are seeing this behaviour, ensure that the encryption keys provided are correct and that you have not revoked any keys that are still in use.
  • Decryption may fail if newly encrypted data is written while decryption is in progress. If this happens, ensure that all active coder instances are stopped, and retry.
See an opportunity to improve our docs? Make an edit.
On this page