This section focuses on securing data in the Octopus database, backup files, and other settings in the registry and on disk. For information on how Octopus secures data between Octopus and Tentacles, see Octopus - Tentacle communication.
When an Octopus Server is installed, we generate a special key used for encryption, called the Master Key. The Master Key is then encrypted asymmetrically, using DPAPI, and stored in the Octopus configuration file.
The Master Key is then used along with AES-128 to encrypt certain sensitive data in the Octopus database, including:
- Sensitive variables.
- Private keys used for Octopus/Tentacle communication, and for authenticating with Azure and SSH endpoints.
- Credentials used to authenticate with SSH (for username/password auth) and external NuGet feeds.
The practical impact of this is:
- While most data in the database is plain text, sensitive data like the examples below are encrypted.
- The "Master Key" used to encrypt and decrypt this data is itself encrypted by Windows, using a private key known only by Windows.
- If an attacker has access to your Octopus database backup file, but they aren't on the Octopus Server and don't know the Master Key, they won't be able to decrypt the database or other settings.
Without keeping a record of your Master Key, you won't be able to make use of your Octopus database backups, since there is no way to decrypt these sensitive values.
Your Master Key
When Octopus is installed, it generates a random string which will be used as the Master Key. You will need to know your Master Key if you ever hope to restore an Octopus backup on another server.
Getting the Master Key from the Octopus Manager
- Open the Octopus Manager from the start menu/start screen.
- Click View Master Key.
- Click Save to save the Master Key to a text file or Copy to clipboard and then paste the Master Key into a text editor or a secure enterprise password manager, and save it.
Getting the Master Key from PowerShell
Depending on the version of Octopus Server you are using you may need to use a slightly different parsing:
$MasterKey = (.\Octopus.Server.exe show-master-key)[-1]
$MasterKey = .\Octopus.Server.exe show-master-key
$MasterKey = (.\Octopus.Server.exe show-master-key --format=json | ConvertFrom-Json).MasterKey