Data encryption

This section focuses on securing data in the Octopus database, backup files, and other settings in the registry and on disk. For information on how Octopus secures data between Octopus and Tentacles, see Octopus - Tentacle communication.

When an Octopus Server is installed, we generate a special key used for encryption, called the Master Key. The Master Key is then encrypted asymmetrically, using Windows Data Protection, and stored in the Octopus configuration file.

The Master Key is then used along with AES-256 to encrypt certain sensitive data in the Octopus database, including:

Octopus Server 2024.4 and newer use AES-256 by default but support AES-128 for compatibility. Previous versions use AES-128.

Sensitive variables.
Private keys used for Octopus/Tentacle communication, and for authenticating with Azure and SSH endpoints.
Credentials used to authenticate with SSH (for username/password auth) and external NuGet feeds.

The practical impact of this is:

While most data in the database is plain text, sensitive data like the examples below are encrypted.
The “Master Key” used to encrypt and decrypt this data is itself encrypted by Windows, using a private key known only by Windows.
If an attacker has access to your Octopus database backup file, but they aren’t on the Octopus Server and don’t know the Master Key, they won’t be able to decrypt the database or other settings.

Warning Without keeping a record of your Master Key, you won’t be able to make use of your Octopus database backups, since there is no way to decrypt these sensitive values.

Your Master Key

When Octopus is installed, it generates a random string which will be used as the Master Key. You will need to know your Master Key if you ever hope to restore an Octopus backup on another server.

Getting the Master Key from the Octopus Manager

Open the Octopus Manager from the start menu/start screen.
Click View Master Key.
Click Save to save the Master Key to a text file or Copy to clipboard and then paste the Master Key into a text editor or a secure enterprise password manager, and save it.

Getting the Master Key from PowerShell

Depending on the version of Octopus Server you are using you may need to use a slightly different parsing:

Using text

$MasterKey = .\Octopus.Server.exe show-master-key

Using JSON

$MasterKey = (.\Octopus.Server.exe show-master-key --format=json | ConvertFrom-Json).MasterKey

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Friday, October 4, 2024

Edit on GitHub