Setting up a secret

Tonic stores and encrypts your database credentials. To use your own encryption key. follow the instructions here on how to set that up.

TONIC_SECRET encryption

TONIC_SECRET is encrypted using AES.
By default, the encryption uses a 128-bit key. It can also support a 256-bit key.

During initial installation

During initial installation, to set up your encryption key, add an environmental variable called TONIC_SECRET to both the tonic_worker and tonic_web_server containers.
TONIC_SECRET must have the same value in both containers. It can be any string.

After installation

You can also set up an encryption key after installation, but the process is more complicated. This is because your data is already encrypted with a different key, which is likely the default key that Tonic uses.
To use your own encryption key, follow the steps below.

A word of caution

This process irrevocably deletes your:
  • Database passwords
  • SSH tunnel keys
  • Passphrases
After you make the change, you must re-enter these credentials the first time you use your Tonic workspace.

Connect to the Tonic database

In your initial setup, you provided connection details to a PostgreSQL database that Tonic uses as its internal data store.
You must first connect to this database through a PostgreSQL client such as psql.
For more detailed instructions, see Connecting to the Tonic database.

Back up your encrypted data

Before you make any changes, back up the encrypted data so that you can revert these changes if needed.
First, to create some columns to use to back up data, issue the following query:
"EncryptedPassword_Backup" TEXT,
"EncryptedBigQueryServiceAccount_Backup" TEXT,
"EncryptedSshPassphrase_Backup" TEXT,
"EncryptedSshPrivateKey_Backup" TEXT;
Next, copy the original values into these backup columns:
UPDATE "Databases" SET
"EncryptedPassword_Backup" = "EncryptedPassword",
"EncryptedBigQueryServiceAccount_Backup" = "EncryptedBigQueryServiceAccount",
"EncryptedSshPassphrase_Backup" = "EncryptedSshPassphrase",
"EncryptedSshPrivateKey_Backup" = "EncryptedSshPrivateKey";

Apply changes

Next, delete the data that was encrypted with your old key.
UPDATE "Databases" SET
"EncryptedPassword" = null,
"EncryptedSshPrivateKey" = null,
"EncryptedSshPassphrase" = null,
"EncryptedBigQueryServiceAccount" = null;

Test your changes

You can now shut down Tonic, and follow the steps to set up a key during initial installation.
After that is complete, restart Tonic and log in.
All of your workspaces should be present. However, Tonic cannot connect to the source databases. This is because we deleted all of the passwords.
You must re-enter all of your passwords for each database. After that, you should be able to continue to use Tonic. Your passwords are encrypted with your new secret.


If this process does not work, revert your changes and reach out to [email protected] or through your company's typical support channel.
To revert your changes, run the following:
UPDATE "Databases" SET
"EncryptedPassword" = "EncryptedPassword_Backup",
"EncryptedSshPrivateKey" = "EncryptedSshPrivateKey_Backup",
"EncryptedSshPassphrase" = "EncryptedSshPassphrase_Backup",
"EncryptedBigQueryServiceAccount" = "EncryptedBigQueryServiceAccount_Backup";


The final step is to remove the columns you created to temporarily store your old passwords.
However, if you plan to revert your TONIC_SECRET, consider keeping these columns in the database.
To delete the columns, run:
ALTER TABLE "Databases"
DROP COLUMN "EncryptedPassword_Backup",
DROP COLUMN "EncryptedBigQueryServiceAccount_Backup",
DROP COLUMN "EncryptedSshPassphrase_Backup",
DROP COLUMN "EncryptedSshPrivateKey_Backup";