How are Connections, Variables, and Env Vars encrypted on Astronomer?

Connections and Variables are encrypted as soon as you set them. Check out the screenshots below (taken on a local Postgres) to see exactly what anyone on your end (or ours) would have access to.

1. Connections

is_encrypted: This means that a password value exists (at all) and will be encrypted with a randomized string akin GAAAAABcu.... Note that once a password is set in the UI and you hit “Save”, it’ll “disappear” from the Airflow UI even though the value in fact exists.

is_extra_encrypted: If this is marked True, that means that a value exists in the Extras field at the bottom of the Connection Config. Confusingly, this does NOT mean that the connection is “very” encrypted or has an extra layer of encryption in any way. It just means that whatever is in that box, is indeed encrypted as well.

2. Variables

Variables work similarly. Regardless of whether or not they’re extra encrypted or marked as secrets (which you can do by inserting a key word like “Password” or “API Key” in the name of the Variable), their corresponding values are encrypted in Airflow’s underlying db.

Adding those keywords will protect them on the Airflow UI (as you can see below), but they’ll actually be inserted the same way in Postgres.

3. Environment Variables

All values for Env Vars (whether you add them to your Dockerfile or via the Astronomer UI) are stored as Kubernetes Secrets, which are encrypted at REST and mounted right into the Airflow pods. Those values aren’t stored anywhere on our end - we fully trust Kubernetes as a source of truth. As a slight caveat to that, all Env Vars are currently accessible from the Astronomer UI once inputted, so anyone with access to your account/workspace will have access to those at anytime for now.


Note: If you’re an Astronomer Cloud customer looking for access to your Postgres, refer to this forum post for your remote deployment or this post to get set up locally.

Hi @paola I’m running Airflow 2.0 on AWS EC2, how can I mark “is_encrypted” &“is_extra_encrypted” to true. Is it possible through AWS cli?
Please help me on this