When an Octopus server is installed, we generate a special key used for encryption, called the master key. The master key is then encrypted asymmetrically, using DPAPI, and stored in the Octopus configuration file.
The master key is then used along with AES-128 to encrypt certain sensitive data in the Octopus database, including:
- Sensitive variables
- Private keys used for Octopus/Tentacle communication, and for authenticating with Azure and SSH endpoints
- Credentials used to authenticate with SSH (for username/password auth) and external NuGet feeds
The practical impact of this is:
- While most data in the database is plain text, sensitive data like the examples below are encrypted.
- The "master key" used to encrypt and decrypt this data is itself encrypted by Windows, using a private key known only by Windows.
- If an attacker has access to your Octopus database backup file, but they aren't on the Octopus server and don't know the master key, they won't be able to decrypt the database or other settings.
Your Master Key
When Octopus is installed, it generates a random string which will be used as the master key. You will need to know your master key if you ever hope to restore an Octopus backup on another server.
Getting the key from the Octopus Manager
- Open the Octopus Manager from the start menu/start screen
- Click View master key
- Click Save to save the master key to a text file or Copy to clipboard and then paste the master key into a text editor or a secure enterprise password manager, and save it