Bubble supports column-level encryption. Columns are encrypted with a symmetric key defined by the BUBBLE_DB_ENCRYPTION_KEY
environment variable, set in the Bubble environment file.
Rekeying the database means to change the encryption key. This is accomplished by setting up a second, empty database and then running a “rekey” command that reads all data from a source database using that database’s encryption key, then writing all the data into the new empty database using a new encryption key.
Stop the Bubble API server
Backup the Bubble database
pg_dump -U bubble bubble | gzip > /path/to/backup.tgz
Create a new PostgreSQL database with the same schema as the source database, but no data, for example, if the source database is named bubble
and the destination database is named new_bubble
, you would run:
createdb new_bubble && pg_dump --schema-only -U bubble bubble | psql -U bubble new_bubble
Run the rekey command to read all data from the source database, and write to the destination database:
./bubble/bin/bubble rekey \
--jar ${BUBBLE_JAR} \
--db-user ${DB_USER} \
--db-password "${DB_PASS}" \
--from-db ${FROM_DB} \
--from-key "${FROM_KEY}" \
--to-db ${TO_DB} \
--to-key "${TO_KEY}"
The shell variables above are:
BUBBLE_JAR : path to the Bubble API JAR file
DB_USER : name of the PostgreSQL user, usually bubble
DB_PASS : password for the PostgreSQL user. To use an env var, prefix with @, for example @PGPASSWORD
FROM_DB : name of the source database, typically bubble
FROM_KEY : encryption key for the source database (or env var if prefixed with @), typically @BUBBLE_DB_ENCRYPTION_KEY
TO_DB : name of the destination database, for example new_bubble
TO_KEY : encryption key for the destination database
The rekeying is now complete. Drop the old database, and rename the new database. You may need to become the postgres user to run these commands.
dropdb bubble && psql -c 'ALTER DATABASE new_bubble RENAME TO bubble'
Restart the Bubble API server
Redis values are encrypted with a symmetric key, defined by the BUBBLE_REDIS_ENCRYPTION_KEY
environment variable,
set in the Bubble environment file.
Because only temporary data is stored in redis, there is a very simple rekey procedure:
redis-cli flushall
OR echo flushall | nc 127.0.0.1 6379
BUBBLE_REDIS_ENCRYPTION_KEY
in the bubble env file)All data stored in cloud storage (which include backups) is encrypted locally using a key that is specific to that particular cloud storage. The key is generated automatically prior to first use.
If an upstream Sage Node is providing access to the cloud storage, it will not be able to see any of the data being read or written. The file names or “keys” to the data itself are not encrypted, so these names would be visible to the Sage. Bubble does not include any sensitive information in filenames stored in cloud storage.
To rekey cloud storage, one would create a new cloud storage service with a different prefix path, then copy all the data from the old service to the new service, then delete all the data stored via the old service.
TODO: document the procedure for rekeying a cloud storage service