Skip to content

Airflow Connection Encryption Fix

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about Airflow Connection Encryption Fix. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Airflow connection passwords are visible in the UI:

Admin > Connections > Click on a connection
Password: mydatabasepassword  # Plain text!

Airflow stores connection passwords in the database. By default, they are stored with Fernet encryption using a key in airflow.cfg. If fernet_key is not set, passwords are stored in plain text. Additionally, connection extra JSON may contain unencrypted sensitive data.

Step-by-Step Fix

1. Generate and set a Fernet key

WRONG — no Fernet key means unencrypted passwords:

[core]
fernet_key =

RIGHT — generate a Fernet key:

# Generate a Fernet key
python -c "from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())"

# Output: 5aU9xVvYnC3y8QzR2wLmNpQrStUvWxYz=

Set it in airflow.cfg:

[core]
fernet_key = 5aU9xVvYnC3y8QzR2wLmNpQrStUvWxYz=

Or via environment variable:

export AIRFLOW__CORE__FERNET_KEY=5aU9xVvYnC3y8QzR2wLmNpQrStUvWxYz=

2. Re-encrypt existing connections

After setting the Fernet key, re-encrypt existing connections:

# Access Airflow shell
airflow shell

# Re-encrypt all connections
from airflow.models import Connection
from airflow.utils.db import reflect_metadata

connections = Connection.query.all()
for conn in connections:
    conn.rotate_fernet_key()

Then restart the webserver and scheduler:

airflow webserver restart
airflow scheduler restart

3. Mask passwords in the UI

WRONG — passwords visible to all Airflow users:

RIGHT — control UI visibility:

[webserver]
show_connection_password = False  # Hides password fields in the UI

Users with "Admin" role can still see passwords. For stricter control:

[webserver]
rbac = True  # Role-based access control

4. Use a Secrets backend

[secrets]
backend = airflow.providers.hashicorp.vault.secrets.vault.VaultBackend
backend_kwargs = {
    "connections_prefix": "connections",
    "variables_prefix": "variables",
    "vault_conn_id": "vault_default",
    "mount_point": "airflow"
}

Then store connections in HashiCorp Vault:

vault kv put airflow/connections/my_db \
    conn_type=postgres \
    host=db.example.com \
    login=admin \
    password=supersecret

5. Encrypt connection extras

WRONG — sensitive data in extras:

{
    "aws_access_key_id": "AKIAXXX",
    "aws_secret_access_key": "supersecret"
}

RIGHT — use the Secrets backend or store only references:

{
    "aws_profile": "production",
    "role_arn": "arn:aws:iam::123456:role/airflow-role"
}

Use IAM roles or service principals instead of access keys.

6. Use SSL/TLS for database connections

[core]
sql_alchemy_conn = postgresql+psycopg2://user:pass@host:5432/airflow?sslmode=require

[celery]
result_backend = db+postgresql://user:pass@host:5432/airflow?sslmode=require

Expected output: connection passwords are stored encrypted in the database.

Prevention

  • Always set fernet_key when deploying Airflow in production.
  • Mask connection passwords in the UI with show_connection_password = False.
  • Use a Secrets backend (Vault, AWS SSM, GCP Secret Manager) for production.
  • Enable SSL/TLS for database connections.
  • Audit connections regularly for exposed credentials.

Common Mistakes with connection encrypt

  1. Using return to exit a function early instead of wrapping a pure value in the monad
  2. Mixing let bindings with <- bindings in do notation, producing type errors
  3. Overlapping type class instances that cause GHC to reject the program with ambiguous dispatch errors

These mistakes appear frequently in real-world AIRFLOW code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What happens if I lose my Fernet key?

All encrypted connections become unrecoverable. Store the Fernet key in a secure location (Vault, AWS Secrets Manager) and back it up. Without the key, you must delete and recreate all connections.

Is the Fernet key enough for production security?

Fernet encryption protects data at rest in the database. For production, also:

  • Use a Secrets backend (Vault, AWS SSM)
  • Enable database SSL/TLS
  • Restrict Airflow UI access with RBAC
  • Use network policies for Airflow components

How often should I rotate the Fernet key?

Rotate the Fernet key every 90 days or after any security incident. After rotation, run conn.rotate_fernet_key() for each connection. Schedule this as an Airflow DAG for automated rotation.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro