Password Policy
Portworx Backup requires specific password formats and encryption keys for its database components. This document outlines the mandatory requirements for MongoDB, PostgreSQL, and MySQL credentials.
These passwords must be provided during installation through the Portworx Backup spec generator in the Finish tab for both Non-airgapped and Air-gapped environments while configuring your deployment. The password policy enables you to:
- Provide custom DB passwords at installation - Configure secure, organization-specific database credentials during initial deployment
- Rotate or update existing credentials during upgrades - Maintain security by updating passwords as part of your upgrade process and organization password rotation policies
- Encrypt sensitive fields in the Portworx MongoDB instance - Protect critical data with proper encryption key management
Password Requirements
| Password/Key | Guidelines |
|---|---|
| MySQL Root User Password | User defined |
| PostgreSQL User Password | User defined, Cannot contain special characters. This restriction is specific to the Keycloak PostgreSQL integration |
| MongoDB PX-Backup User Password | User defined |
| MongoDB Root User Password | User defined |
| MongoDB Replica Set Key | User defined alphanumeric, should be between 6 to 1024 characters, restricted to A–Za–z0–9+/=. For more information, refer to Enforce keyfile access control on existing replica set |
| MongoDB Master Encryption Key | User defined alphanumeric, should be exactly 96 characters. For more information, refer to Create a customer master key |
The MongoDB Master Encryption Key is immutable once set during initial installation. This key cannot be modified, rotated, or regenerated during upgrades or maintenance operations. Store this key securely in your system as it will be required for all future upgrades and debugging procedures.
Sample Kubernetes Secret
This secret will be created during installation when you provide the passwords through the Portworx Backup spec generator. Below is an example of a well formatted Kubernetes secret in <pxb-namespace> containing all required credentials:
kubectl apply -f - <<EOF
apiVersion: v1
kind: Namespace
metadata:
name: <pxb-namespace>
---
apiVersion: v1
kind: Secret
metadata:
name: pxc-credentials
namespace: <pxb-namespace>
data:
mongodb-px-backup-password: <base64-encoded-mongodb-password>
mongodb-root-password: <base64-encoded-mongodb-root-password>
mongodb-replica-set-key: <base64-encoded-mongodb-replica-set-key>
mongodb-master-encryption-key: <base64-encoded-mongodb-master-encryption-key>
postgresql-password: <base64-encoded-postgresql-password>
mysql-password: <base64-encoded-mysql-password>
EOF
If pxc-credentials secret is not set, installing or upgrading Portworx Backup will fail with the follwoing error:
time="<UTC Timestamp>" level=fatal msg="Pre-install Hook failed: RunPreInstall: failed to validate custom passwords: ValidateCustomPasswordSecret: error validating pxc-credentials secret: secret pxc-credentials not found in namespace central"
Best Practices
Key Management and Rotation
Proper key management is critical for maintaining the security and integrity of your Portworx Backup deployment. MongoDB encryption keys and database passwords require careful handling throughout their lifecycle. Follow these essential practices to ensure secure credential management:
- Never reuse the MongoDB master encryption key across environments
- Remember/store passwords and keys securely