# Session keys

In the default install we autogenerate session and cookie keys each time the application is installed or upgraded, which could cause disruption for users. Instead you should generate these tokens once and save them in a Kubernetes secret.

Most secrets (with the exception of your PostgreSQL password) must be stored in a secret named fwinsights-secrets

We'll need the following keys:

  • cookie_hash_key (64 chars)
  • cookie_block_key (32 chars)
  • session_auth_key (64 chars)
  • session_encryption_key (32 chars)
  • AES cypher key (32 chars)

An easy way to generate these keys is:

cookie_hash_key=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 64 | base64 -w 0)
cookie_block_key=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 | base64 -w 0)
session_auth_key=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 64 | base64 -w 0)
session_encryption_key=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 | base64 -w 0)
aes_base64_cypher_key=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 | base64 -w 0)

You should use these values to populate secrets.yaml:

apiVersion: v1
data:
    COOKIE_HASH_KEY: TjZCbzAzMVJ0U1lXS2RPaE9sU0ZERDJJdXpTNFhLeG91VWFYdU9DcU9kTkpmenlFNWFsT29sajZ3VGpNbjNSSA==
    COOKIE_BLOCK_KEY: RDFNVVhWVzM4QllJd0Z5NXNIT1kxV1RrVWNweWRnbmM=
    SESSION_AUTH_KEY: NTczV0o0NGFBeGtXVzduZjZHV25FdFZMb0s5TE5SSWU3bG00YkNtaE93bHZUVW1VSXZUYW9ya2UzdHE2eFZXSA==
    SESSION_ENCRYPTION_KEY: ME1LeFRPdTYwOVU0YlVvUGVEUUdQYjZnbTlyZUh4b2I=
    AES_BASE64_CYPHER_KEY: ejdGNDVRYWdYRUh5TVc2UEZEbktFTEZ3NUxSQ2JQNFo=
kind: Secret
metadata:
    name: fwinsights-secrets
type: Opaque
kubectl apply -f secrets.yaml -n fairwinds-insights

Consider using SOPS (opens new window) to encrypt your secrets file and store it in your git repository.