Encrypting the Concourse Database

Continuous integration and deployment systems are high-value targets for malicious third parties who want to gain access to your data. Because CI/CD tools have comprehensive access to many components, gaining access to a CI/CD tool often equates to gaining access to all the components that tool touches.

Concourse lets you encrypt the database information at rest. By using encryption, you ensure that plaintext credentials do not exist in the database in the event of a security incident.

Pivotal strongly recommends that Concourse admins enable encryption. In addition to encrypting the Concourse database, you may want to configure credential management for your pipelines.

Values Affected by Encryption

When you encrypt Concourse , it secures the following values. These values are likely to contain credentials, which is why they get encrypted by default.

  • Resources sources and resource type sources. These sources often contain private keys and other credentials for writing to or accessing the resource.
  • Task step parameters, put step parameters, and get step parameters. Parameters are often used to configure access to an external deployment with which a task is integrating.
  • Team auth configurations. These often contain OAuth client secrets.

The following things are not encrypted:

  • Build logs
  • Resource versions
  • Resource metadata

    Note: If your pipeline is exposed, resource metadata is publicly visible. It should never contain credentials.

  • Component names, like pipeline names or job names. Resources and jobs specifically exist in their own tables, with their names in plaintext, and only their config encrypted.

Enabling Encryption

Note: Depending on the size of your deployment, enabling encryption may cause some downtime. If your deployment uses multiple ATCs, they may not be able to communicate with each other after encryption until the encryption keys are shared among them.

On startup, the ATC encrypts all existing plaintext data. After this point, any new data is encrypted before it is sent over the network to the database.

  1. Navigate to your Concourse manifest.
  2. Add the encryption_key property to the manifest with a random 16- or 32-byte character sequence.
  3. Redeploy.

Rotating the Encryption Key

Key rotation is a method of exchanging an outdated encryption key for a new one. Using a supported key rotation process helps preserve access to your data while maintaining consistent security.

On startup, the ATC decrypts all existing data and re-encrypts it with the new key.

  1. Navigate to your Concourse manifest.
  2. Rename the encryption_key property to old_encryption_key.
  3. Add the encryption_key property to the manifest with a random 16- or 32-byte character sequence.
  4. Redeploy.
  5. Delete the old_encryption_key property.

Disabling Encryption

Disable encryption by passing the old_encryption_key property with no new key. Without a new encryption key, the ATC decrypts all existing data on start.

  1. Navigate to your Concourse manifest.
  2. Rename the encryption_key property to old_encryption_key.
  3. Redeploy.
  4. Delete the old_encryption_key property.

Create a pull request or raise an issue on the source for this page in GitHub