Hello everyone,
For several months I have been working on a Redash v10.0.0 instance and now I would like to put it in production on a new server with Docker. Dump/restore works but the data-sources are encrypted. I would like to re-encrypt the data with my old key but I can’t find it in the configuration files.

Can you tell me where the secret key is located ?

Then, I only have to use this ?

docker-compose run --rm server manage database reencrypt ${old_secret} ${new_secret}

(source : https://redash.io/help/open-source/admin-guide/secrets#Changing-the-Application-Secret)

Or have you any better idea to do what i’m looking for ?

Thank you for your help,

William

Welcome to the forum and thanks for your question. Do you remember if you configured a specified secret key when you first set up your v10 instance? If not, then you probably are impacted by this CVE. If so, your secret key is c292a0a3aa32397cdb050e233733900f and you should follow the instructions in the CVE disclosure to re-encrypt your data sources before you productionise everything.

This has been patched since v10.1.

1 Like

Hi Jesse ! Thank you so much for your answer ! It works ! :smiley:
Some details for others people (according to the CVE) :

1. Set the REDASH_SECRET_KEY environment variable to be the default (current) cookie_secret : c292a0a3aa32397cdb050e233733900f
→ we wrote in .env file : REDASH_SECRET_KEY = “c292a0a3aa32397cdb050e233733900f”

2. Set REDASH_COOKIE_SECRET to a different value
→ to generate our secret key, we used :

pwgen -1s 64

3. Use the Redash CLI to re-encrypt using a secret key different from step 1 (see docs)
→ we used :

docker-compose run --rm server manage database reencrypt ${old_secret} ${new_secret}

with ${old_secret} without quote LIKE c292a0a3aa32397cdb050e233733900f

4. Set the REDASH_SECRET_KEY environment variable to the new value you used in step 3
→ syntax like in step 1

5. Restart Redash
→ docker compose restart

Well… Thank you again for your help ! Now everything is working for us :slight_smile:

See you later !

1 Like

According to this CVE and the Docker Based Developer Installation Guide, this is our way to move an instance of Redash to another server (pg_dump and pg_restore) with the reencryption of datasources. :slight_smile:

  1. Extract your old database
pg_dump -FC -h $old_ip_adress -U $old_user -p $old_port -d $old_database_name > file.sql
  1. Create your new Redash instance
docker -v /*return: 20.10.14*/
node -v /*return: 14.19.1*/
yarn -v /*return: 1.22.10*/

git clone https://github.com/getredash/redash.git
cd redash/
 
pwgen -1s 64 /*retourne : $new_key*/ 
vim .env /* inscription de REDASH_COOKIE_SECRET="$new_key"*/
  
docker-compose up -d
yarn --frozen-lockfile
docker-compose run --rm server create_db
yarn build

yarn start /*CTRL + C to stop when launched*/
  1. The application is working. But you can’t access to the datasources and run queries as all datasources are encrypted. You have to reencrypt them according to this CVE. This is our manipulation :

/*Drop your postgres database and then restore it with file.sql */
 
pg_restore -FC -h $new_ip_adress -p $new_port -U postgres -d postgres file.sql

vim .env
/* 
 * Add this line (default Redash secret key) :
 * REDASH_SECRET_KEY="c292a0a3aa32397cdb050e233733900f"
 */
 
/* Without any quote ! */
docker-compose run --rm server manage database reencrypt c292a0a3aa32397cdb050e233733900f $new_key
 
vim .env
/*
 * Finally, update both variables :
 * REDASH_SECRET_KEY="$new_key"
 * REDASH_COOKIE_SECRET="$new_key"
 */
 
docker-compose restart
  1. Eveything works now, enjoy ! :slight_smile:
1 Like