Password Policy in Portworx Backup
Portworx Backup requires specific password formats and encryption keys for its database components. This document outlines the mandatory requirements for MongoDB, PostgreSQL, and MySQL credentials.
These passwords must be provided during installation through the Portworx Backup spec generator in the Finish tab for both non-airgapped and air-gapped environments while configuring your deployment. The password policy enables you to:
- Provide custom DB passwords at installation - Configure secure, organization-specific database credentials during initial deployment
- Rotate or update existing credentials during upgrades - Maintain security by updating passwords as part of your upgrade process and organization password rotation policies
- Encrypt sensitive fields in the Portworx MongoDB instance - Protect critical data with proper encryption key management
Password Requirements
| Password/Key | Guidelines |
|---|---|
| MySQL Root User Password | User defined |
| PostgreSQL User Password | User defined. Cannot contain special characters (for example, @, :, /, %, &, #). This restriction is specific to the Keycloak PostgreSQL integration |
| MongoDB PX-Backup User Password | User defined. MongoDB enforces strict password requirements: the characters @, :, /, and % are not allowed because they have special meaning in MongoDB connection URI strings. |
| MongoDB Root User Password | User defined. Same special character restrictions apply as for MongoDB PX-Backup User Password (@, :, /, % not allowed). |
| MongoDB Replica Set Key | User defined, should be between 6 to 1024 characters, restricted to characters matching A-Za-z0-9+/= (base64 characters only). Special characters such as @, :, /, and % are not allowed. For more information, refer to Enforce keyfile access control on existing replica set |
| MongoDB Master Encryption Key | User defined alphanumeric, should be exactly 96 characters. For more information, refer to Create a customer master key |
The MongoDB Master Encryption Key is set during initial installation and cannot be changed afterward. It cannot be modified, rotated, or regenerated during upgrades or maintenance operations.
Store this key securely. If it is lost, all encrypted data becomes permanently unrecoverable. This key is required for all future upgrades and debugging procedures.
Sample Kubernetes Secret
This secret will be created during installation when you provide the passwords through the Portworx Backup spec generator. Below is an example of a well formatted Kubernetes secret in <pxb-namespace> containing all required credentials:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: <pxb-namespace>
---
apiVersion: v1
kind: Secret
metadata:
name: pxc-credentials
namespace: <pxb-namespace>
data:
mongodb-px-backup-password: <base64-encoded-mongodb-password>
mongodb-root-password: <base64-encoded-mongodb-root-password>
mongodb-replica-set-key: <base64-encoded-mongodb-replica-set-key>
mongodb-master-encryption-key: <base64-encoded-mongodb-master-encryption-key>
postgresql-password: <base64-encoded-postgresql-password>
mysql-password: <base64-encoded-mysql-password>
EOF
If pxc-credentials secret is not set, installing or upgrading Portworx Backup will fail with the following error:
time="<UTC Timestamp>" level=fatal msg="Pre-install Hook failed: RunPreInstall: failed to validate custom passwords: ValidateCustomPasswordSecret: error validating pxc-credentials secret: secret pxc-credentials not found in namespace central"
Best Practices
Key Management and Rotation
Proper key management is critical for maintaining the security and integrity of your Portworx Backup deployment. MongoDB encryption keys and database passwords require careful handling throughout their lifecycle. Follow these essential practices to ensure secure credential management:
- Never reuse the MongoDB master encryption key across environments
- Remember/store passwords and keys securely
Password Rotation
To rotate or update database passwords (MySQL, PostgreSQL, MongoDB user, or MongoDB root), update the pxc-credentials Kubernetes secret with the new values and then run a Helm upgrade. The new credentials take effect after the upgrade completes.
The MongoDB Master Encryption Key cannot be rotated after initial installation. Do not modify it during an upgrade, as doing so will make all encrypted data permanently inaccessible.
For step-by-step upgrade procedures, see Upgrade Portworx Backup.