Rotating encryption keys


Once connection credentials and variables have been encrypted using a fernet key, changing the key will cause decryption of existing credentials to fail. To rotate the fernet key without invalidating existing encrypted values, prepend the new key to the fernet_key setting, runairflow rotate_fernet_key, and then drop the original key from fernet_keys:

  1. Set fernet_key to new_fernet_key,old_fernet_key

  2. Run airflow rotate_fernet_key to re-encrypt existing credentials with the new fernet key

  3. Set fernet_key to new_fernet_key