Welcome to the forum. I think one of these could work. Definitely back up your Redash metadata before attempting either of these.
Use the API
- Decrypt and extract the data source info from the current database. Also pull info on which queries use those sources. Drop the data sources. Kill Redash.
- Change the
REDASH_SECRET_KEY located in
redash.settings.DATA_SOURCE_SECRET_KEY and restart Redash.
- Create new data sources with the API and the decrypted connection information
- Cycle through the queries from step 1 and update each
We use sqlalchemy_utils’s
EncryptedType to implement the encryption.
From their documentation:
The key parameter accepts a callable to allow for the key to change per-row instead of being fixed for the whole table.
This suggests you can use more than one SECRET_KEY on the same table, as long as SQLAlchemy has access to both secret keys. It follows that you could write a database migration to re-encrypt the data source connection information in place.
But in my opinion, the API pattern would be easier.