Skip to main content

Workspace Secret Encryption

All secrets of a workspace are encrypted with a symmetric key unique to that workspace. This key is generated when the workspace is created and is stored in the database in the workspace_settings.

You can manually update the encryption key of a workspace, it will be re-encrypted with the new key and the previous key will be replaced by the new one.

If you're manually updating the key to match another workspace key from another Windmill instance, make sure not to use the 'SECRET_SALT' environment variable or, if you're using it, make sure the salt matches across both instances.

The encryption key should be 64 characters long and only contain letters and numbers.