From 405379bbfcb7821b3dae77e5254362f2d696bb7d Mon Sep 17 00:00:00 2001 From: Sean McGivern Date: Fri, 15 Jul 2016 13:19:29 +0100 Subject: Store OTP secret key in secrets.yml .secret stores the secret token used for both encrypting login cookies and for encrypting stored OTP secrets. We can't rotate this, because that would invalidate all existing OTP secrets. If the secret token is present in the .secret file or an environment variable, save it as otp_key_base in secrets.yml. Now .secret can be rotated without invalidating OTP secrets. If the secret token isn't present (initial setup), then just generate a separate otp_key_base and save in secrets.yml. Update the docs to reflect that secrets.yml needs to be retained past upgrades, but .secret doesn't. --- doc/raketasks/backup_restore.md | 27 ++++++++++++++------------- doc/raketasks/user_management.md | 4 ++-- 2 files changed, 16 insertions(+), 15 deletions(-) (limited to 'doc') diff --git a/doc/raketasks/backup_restore.md b/doc/raketasks/backup_restore.md index 5fa96736d59..b48a3ea00f4 100644 --- a/doc/raketasks/backup_restore.md +++ b/doc/raketasks/backup_restore.md @@ -11,12 +11,13 @@ You can only restore a backup to exactly the same version of GitLab that you cre on, for example 7.2.1. The best way to migrate your repositories from one server to another is through backup restore. -You need to keep a separate copy of `/etc/gitlab/gitlab-secrets.json` -(for omnibus packages) or `/home/git/gitlab/.secret` (for installations -from source). This file contains the database encryption key used -for two-factor authentication. If you restore a GitLab backup without -restoring the database encryption key, users who have two-factor -authentication enabled will lose access to your GitLab server. +You need to keep a separate copy of `/etc/gitlab/gitlab-secrets.json` (for +omnibus packages) or `/home/git/gitlab/config/secrets.yml` (for installations +from source). This file contains the database encryption keys used for +two-factor authentication and project import credentials, among other things. If +you restore a GitLab backup without restoring the database encryption key, users +who have two-factor authentication enabled will lose access to your GitLab +server. ``` # use this command if you've installed GitLab with the Omnibus package @@ -221,10 +222,10 @@ of using encryption in the first place! If you use an Omnibus package please see the [instructions in the readme to backup your configuration](https://gitlab.com/gitlab-org/omnibus-gitlab/blob/master/README.md#backup-and-restore-omnibus-gitlab-configuration). If you have a cookbook installation there should be a copy of your configuration in Chef. -If you have an installation from source, please consider backing up your `.secret` file, `gitlab.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079). +If you have an installation from source, please consider backing up your `config/secrets.yml` file, `gitlab.yml` file, any SSL keys and certificates, and your [SSH host keys](https://superuser.com/questions/532040/copy-ssh-keys-from-one-server-to-another-server/532079#532079). At the very **minimum** you should backup `/etc/gitlab/gitlab-secrets.json` -(Omnibus) or `/home/git/gitlab/.secret` (source) to preserve your +(Omnibus) or `/home/git/gitlab/config/secrets.yml` (source) to preserve your database encryption key. ## Restore a previously created backup @@ -240,11 +241,11 @@ the SQL database it needs to import data into ('gitlabhq_production'). All existing data will be either erased (SQL) or moved to a separate directory (repositories, uploads). -If some or all of your GitLab users are using two-factor authentication -(2FA) then you must also make sure to restore -`/etc/gitlab/gitlab-secrets.json` (Omnibus) or `/home/git/gitlab/.secret` -(installations from source). Note that you need to run `gitlab-ctl -reconfigure` after changing `gitlab-secrets.json`. +If some or all of your GitLab users are using two-factor authentication (2FA) +then you must also make sure to restore `/etc/gitlab/gitlab-secrets.json` +(Omnibus) or `/home/git/gitlab/config/secrets.yml` (installations from +source). Note that you need to run `gitlab-ctl reconfigure` after changing +`gitlab-secrets.json`. ### Installation from source diff --git a/doc/raketasks/user_management.md b/doc/raketasks/user_management.md index 629d38efc53..8a5e2d6e16b 100644 --- a/doc/raketasks/user_management.md +++ b/doc/raketasks/user_management.md @@ -60,8 +60,8 @@ block_auto_created_users: false ## Disable Two-factor Authentication (2FA) for all users This task will disable 2FA for all users that have it enabled. This can be -useful if GitLab's `.secret` file has been lost and users are unable to login, -for example. +useful if GitLab's `config/secrets.yml` file has been lost and users are unable +to login, for example. ```bash # omnibus-gitlab -- cgit v1.2.1