Gitea: "SECRET_KEY" usage and security

Hey there, I´v setted up a new gitea Instance and noticed that under:

[security]                                                  
INSTALL_LOCK = true                                         
SECRET_KEY =       

the Secret Key is empty. After some research, i found out, that if this happend a hardcoded default value will be used.
My Questions are:

What doses this actually encrypts?

If the Secret is hardcoded, isn t it a security risk, because its the same over most of the instances? If for example my Database is compromised, everybody can decrypt my Secrets, because the Key is global and not random per Instance?

Thanks for help!

That’s why it is not hardcoded, you can set your own value, and you should.

There is an open issue about rotating this secret, for example from the empty value to a unique secret value: Secret rotation / secret loss recovery · Issue #16832 · go-gitea/gitea · GitHub

So there is no way to change it yet?

Maybe it would be a good approach, to set a random string at default installation.

I also just noticed that my gitea instance has an empty SECRET_KEY set since installation. What are the implications of this for an internet-facing gitea instance, with a trusted database (i.e. I don’t care if someone could decrypt stuff in the database, because I control it)? Is the SECRET_KEY used for client-server communication in some way; could someone forge a session cookie knowing the SECRET_KEY?

The secret_key will be used to encrypt some sensetive data in the database. It will not be exposed out of Gitea and WON’T be used to encrypt/decrpt data from/to clients.

I think we need a command line tool to regenerate a new security key and also replace all encrypted data on the database. So that the administrator could change the security key easily.

2 Likes

If the Secret Key dose not encrypt anything in the Database, what’s its purpose?