By default, Airflow will save the passwords for the connection in plain text within the metadata database. The
crypto package is highly recommended during installation. The
crypto package does require that your operating system has
crypto package was not installed initially, it means that your Fernet key in
airflow.cfg is empty.
You can still enable encryption for passwords within connections by following below steps:
Install crypto package
pip install 'apache-airflow[crypto]'
Generate fernet_key, using this code snippet below.
fernet_key must be a base64-encoded 32-byte key:
from cryptography.fernet import Fernet fernet_key= Fernet.generate_key() print(fernet_key.decode()) # your fernet_key, keep it in secured place!
airflow.cfg fernet_key value with the one from Step 2. Alternatively, you can store your fernet_key in OS environment variable - You do not need to change
airflow.cfg in this case as Airflow will use environment variable over the value in
# Note the double underscores export AIRFLOW__CORE__FERNET_KEY=your_fernet_key
Restart the webserver
For existing connections (the ones that you had defined before installing
airflow[crypto] and creating a Fernet key), you need to open each connection in the connection admin UI, re-type the password, and save the change