https://linen.dev logo
#feedback-and-requests
Title
# feedback-and-requests
j

Justin Leung

07/30/2021, 3:12 PM
Hi, I was looking into the internal Airbyte DB recently. I noticed that in
airbyte_configs.config_blob
, the raw credentials of sources/destinations are stored in plaintext. This is problematic as a lot of these sources/destinations require secret keys. Does Airbyte have any way to encrypt these credentials? If not, is there any recommended workaround?
u

user

07/31/2021, 1:25 AM
@Justin Leung this is something we’re actively working on in August and will have a better answer for soon.
n

ns

08/23/2021, 7:48 PM
Wow. This is significant. @s is there an ETA on adding an encryption at least on Postgres level? But perhaps better allow a pluggable credentials store - https://github.com/airbytehq/airbyte/issues/837
u

user

08/23/2021, 7:52 PM
@Matthew Tovbin this is currently scheduled for release in airbyte cloud end of September. Currently there isn’t a clear ETA for OSS. Iirc you are deploying self hosted right?
u

user

08/23/2021, 7:54 PM
Yes, we were playing with the hosted version and discovered it exploring the Airbyte database.
u

user

08/23/2021, 8:56 PM
How are you planning to implement this for the Airbyte Cloud? Perhaps for OSS version we can simply start by enabling pgcrypto and encrypting the whole
config_blob
column. I think we can put a PR with the change.
u

user

08/23/2021, 11:13 PM
@Jared Rhizor (Airbyte) @Jenny Brown as people working on secret management is this something we’ve considered?
n

ns

08/23/2021, 11:21 PM
We’re planning to move secrets entirely out of the database as our first step, although it’s aimed at solving it for cloud before the opensource version… and then doing further followup to get it ready for oss use. In the meantime, pursuing encryption might be a solution. I am not sure of side effects to that.
u

user

08/23/2021, 11:21 PM
We’ll be trying to support a dedicated secrets store.
u

user

08/24/2021, 5:09 AM
Since for json b config_blob column the indexing is not required, then using
pgp_sym_encrypt
is a valid option.
f

Faisal Anees

03/19/2022, 12:28 AM
Hi @s! Was curious if there were any updates on this topic ? Are the credentials being encrypted in the OSS version ?
h

Harshith (Airbyte)

03/21/2022, 10:03 AM
Hey we are working over it here https://github.com/airbytehq/airbyte/issues/9646 you can comment there