By default, Airflow will save the passwords for the connection in plain text
within the metadata database. The
crypto package is highly recommended
during installation. The
crypto package does require that your operating
crypto package was not installed initially, it means that your Fernet key in
airflow.cfg is empty.
You can still enable encryption for passwords within connections by following below steps:
Install crypto package
pip install 'apache-airflow[crypto]'
Generate fernet_key, using this code snippet below.
fernet_keymust be a base64-encoded 32-byte key:
from cryptography.fernet import Fernet fernet_key= Fernet.generate_key() print(fernet_key.decode()) # your fernet_key, keep it in secured place!
airflow.cfgfernet_key value with the one from Step 2. Alternatively, you can store your fernet_key in OS environment variable - You do not need to change
airflow.cfgin this case as Airflow will use environment variable over the value in
# Note the double underscores export AIRFLOW__CORE__FERNET_KEY=your_fernet_key
Restart the webserver
For existing connections (the ones that you had defined before installing
airflow[crypto]and creating a Fernet key), you need to open each connection in the connection admin UI, re-type the password, and save the change
Rotating encryption keys¶
Once connection credentials and variables have been encrypted using a fernet
key, changing the key will cause decryption of existing credentials to fail. To
rotate the fernet key without invalidating existing encrypted values, prepend
the new key to the
fernet_key setting, run
airflow rotate_fernet_key, and then drop the original key from
airflow rotate_fernet_keyto re-encrypt existing credentials with the new fernet key