search

Infisical / infisical

♾ Infisical is the open-source secret management platform: Sync secrets across your team/infrastructure, prevent secret leaks, and manage internal PKI
https://infisical.com
Other
12.9k stars 665 forks source link

Docs don't adequately explain changing encryption keys #2005

Open ExistentialTedium opened 1 week ago

ExistentialTedium commented 1 week ago

Describe the bug

I'm following the quick start guide for docker compose on Windows 10.

I think the version of the docs changed during the time I was setting it up, as the old version pipelines the setup asgit clone https://github.com/Infisical/infisical && cd infisical && copy .env.example .env && docker compose -f docker-compose.prod.yml up, which set up the databases with the default encryption keys, then said to change the keys in .env afterwards.

In both versions, the docs just link to envars docs which implies that you can just change the keys in the .env file at any time to generate a new database encrypted with the new keys. But changing the encryption keys in .env after initial database setup causes infisical to fail to start up with a "Unsupported state or unable to authenticate data" error.

The only way I've been able to change the encryption keys so far is to delete the containers, images, and volumes related to infisical in Docker Desktop, and run docker compose up with the desired keys in .env to rebuild the entire system from scratch. I didn't see any other way in documentation or browsing online.

To Reproduce

Steps to reproduce the behavior:

  1. curl -o docker-compose.prod.yml https://raw.githubusercontent.com/Infisical/infisical/main/docker-compose.prod.yml
  2. curl -o .env https://raw.githubusercontent.com/Infisical/infisical/main/.env.example
  3. docker-compose -f docker-compose.prod.yml up
  4. shut down infisical
  5. change the encryption and authentication keys in .env
  6. docker-compose -f docker-compose.prod.yml up

Expected behavior

Documentation for .env key variables that shows how a new database with new keys is created, or how existing databases could be re-keyed. Or key variable documentation which explicitly explains that the process for changing keys is deleting the docker volumes and rebuilding, because there currently is no process to create a new database with different keys or re-key a database after the initialization process.

Platform you are having the issue on:

Windows 10

maidul98 commented 1 week ago

@ExistentialTedium thank you for the feedback, we really appreciate you taking time to write this out. We'll have the docs reflect this in our up coming sprint