Losing the data key you encrypted your database with is never good… On the Conjur GitHub it states “Do NOT lose the data key, or all the encrypted data will be unrecoverable.”
If you lost your data key, your one chance to retrieve it is from the container’s environment variable (
CONJUR_DATA_KEY ) and you can also get it from the Rails app. Either way, you need to be able to exec into the Conjur container; there is no API or public interface for retrieving the data key. This is by design, because the data key is super important for protecting the integrity of the Conjur database. Examples of these two methods for retrieving the key:
root@4f3e91a3e09e:/opt/conjur-server# echo $CONJUR_DATA_KEY 2EKwqh4sJPCbC9koV5EfdnMThNIbrceWn6MbZZZO9es= root@4f3e91a3e09e:/opt/conjur-server# rails console [snip: warnings] irb(main):002:0> Base64.strict_encode64 Slosilo::encryption_key => "2EKwqh4sJPCbC9koV5EfdnMThNIbrceWn6MbZZZO9es="
There’s no supported way to replace the key AFAIK. As a workaround, you could stand up a new Conjur server (with new different data key) and then load the same policies and secrets from your old server into the new one.