gitlab-org--gitlab-foss/doc/administration/encrypted_configuration.md

---
stage: Systems
group: Distribution
info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments"
type: reference
---

# Encrypted Configuration **(FREE SELF)**

> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45712) in GitLab 13.7.

GitLab can read settings for certain features from encrypted settings files. The supported features are:

- [LDAP `bind_dn` and `password`](auth/ldap/index.md#use-encrypted-credentials).
- [SMTP `user_name` and `password`](raketasks/smtp.md#secrets).

To enable the encrypted configuration settings, a new base key must be generated for
`encrypted_settings_key_base`. The secret can be generated in the following ways:

**Omnibus**

Starting with 13.7 the new secret is automatically generated for you, but you must ensure your
`/etc/gitlab/gitlab-secrets.json` contains the same values on all nodes.

**Helm chart**

Starting with GitLab 13.7, the new secret is automatically generated if you have the `shared-secrets` chart enabled. Otherwise, you need
to follow the [secrets guide for adding the secret](https://docs.gitlab.com/charts/installation/secrets.html#gitlab-rails-secret).

**Source**

The new secret can be generated by running:

```shell
bundle exec rake gitlab:env:info RAILS_ENV=production GITLAB_GENERATE_ENCRYPTED_SETTINGS_KEY_BASE=true
```

This prints general information on the GitLab instance, but also causes the key to be generated in `<path-to-gitlab-rails>/config/secrets.yml`.
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00			`---`
Add latest changes from gitlab-org/gitlab@master 2022-05-29 20:08:35 -04:00			`stage: Systems`
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00			`group: Distribution`
Add latest changes from gitlab-org/gitlab@master 2022-09-21 20:11:23 -04:00			`info: "To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments"`
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00			`type: reference`
			`---`

Add latest changes from gitlab-org/gitlab@master 2021-01-28 01:08:59 -05:00			`# Encrypted Configuration (FREE SELF)`
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00
			`> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/45712) in GitLab 13.7.`

			`GitLab can read settings for certain features from encrypted settings files. The supported features are:`

Add latest changes from gitlab-org/gitlab@master 2022-05-16 02:08:30 -04:00			- [LDAP `bind_dn` and `password`](auth/ldap/index.md#use-encrypted-credentials).
Add latest changes from gitlab-org/gitlab@master 2021-09-08 17:10:58 -04:00			- [SMTP `user_name` and `password`](raketasks/smtp.md#secrets).
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00
Add latest changes from gitlab-org/gitlab@master 2022-06-29 17:09:23 -04:00			`To enable the encrypted configuration settings, a new base key must be generated for`
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00			`encrypted_settings_key_base`. The secret can be generated in the following ways:

Add latest changes from gitlab-org/gitlab@master 2022-09-29 05:09:45 -04:00			`Omnibus`
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00
Add latest changes from gitlab-org/gitlab@master 2022-06-29 17:09:23 -04:00			`Starting with 13.7 the new secret is automatically generated for you, but you must ensure your`
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00			`/etc/gitlab/gitlab-secrets.json` contains the same values on all nodes.

Add latest changes from gitlab-org/gitlab@master 2022-09-29 05:09:45 -04:00			`Helm chart`
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00
			Starting with GitLab 13.7, the new secret is automatically generated if you have the `shared-secrets` chart enabled. Otherwise, you need
			`to follow the [secrets guide for adding the secret](https://docs.gitlab.com/charts/installation/secrets.html#gitlab-rails-secret).`

Add latest changes from gitlab-org/gitlab@master 2022-09-29 05:09:45 -04:00			`Source`
Add latest changes from gitlab-org/gitlab@master 2020-12-10 16:10:15 -05:00
			`The new secret can be generated by running:`

			```shell
			`bundle exec rake gitlab:env:info RAILS_ENV=production GITLAB_GENERATE_ENCRYPTED_SETTINGS_KEY_BASE=true`
			```

Add latest changes from gitlab-org/gitlab@master 2021-09-08 17:10:58 -04:00			This prints general information on the GitLab instance, but also causes the key to be generated in `<path-to-gitlab-rails>/config/secrets.yml`.