Hi, I was looking into the internal Airbyte DB recently. I noticed that in

airbyte_configs.config_blob

, the raw credentials of sources/destinations are stored in plaintext. This is problematic as a lot of these sources/destinations require secret keys. Does Airbyte have any way to encrypt these credentials? If not, is there any recommended workaround?

@Justin Leung this is something we’re actively working on in August and will have a better answer for soon.

Wow. This is significant. @s is there an ETA on adding an encryption at least on Postgres level? But perhaps better allow a pluggable credentials store - https://github.com/airbytehq/airbyte/issues/837

@Matthew Tovbin this is currently scheduled for release in airbyte cloud end of September. Currently there isn’t a clear ETA for OSS. Iirc you are deploying self hosted right?

Yes, we were playing with the hosted version and discovered it exploring the Airbyte database.

How are you planning to implement this for the Airbyte Cloud? Perhaps for OSS version we can simply start by enabling pgcrypto and encrypting the whole

config_blob

column. I think we can put a PR with the change.

@Jared Rhizor (Airbyte) @Jenny Brown as people working on secret management is this something we’ve considered?

We’re planning to move secrets entirely out of the database as our first step, although it’s aimed at solving it for cloud before the opensource version… and then doing further followup to get it ready for oss use. In the meantime, pursuing encryption might be a solution. I am not sure of side effects to that.

We’ll be trying to support a dedicated secrets store.

Since for json b config_blob column the indexing is not required, then using

pgp_sym_encrypt

is a valid option.

Hi @s! Was curious if there were any updates on this topic ? Are the credentials being encrypted in the OSS version ?

Hey we are working over it here https://github.com/airbytehq/airbyte/issues/9646 you can comment there