Manages the Couchbase master password
couchbase-cli setting-master-password [--cluster <url>] [--username <user>] [--password <password>] [--new-password <password>] [--rotate-password]
Couchbase Server Enterprise Edition has a "Secret Management" feature, which allows users to securely encrypt passwords and other sensitive configuration information that is stored on disk. These secrets must be stored in a secure way; and access must be controlled, to reduce the risk of accidental exposure. By using Secret Management in Couchbase Server, secrets are written to disk in encrypted format. To decrypt these secrets, Couchbase requires entry of a "master password", which is supplied by the user during server startup. This master password can be passed to the server using the couchbase-cli master-password command.
By default, the Secret Management feature is disabled. To enable the feature, you must first set the master password. Once a master password is set, the user is required to enter it when the server starts up. This can be done by setting the environment variable CB_MASTER_PASSWORD=<password> during server startup. Alternatively, you can set the environment variable CB_WAIT_FOR_MASTER_PASSWORD=true, and then enter the master password using the couchbase-cli master-password command.
Specifies the hostname of a node in the cluster. See the HOST FORMATS section for more information on specifying a hostname.
- --username <username>
Specifies the username of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error.
- --password <password>
Specifies the password of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error. If this argument is specified, but no password is given then the command will prompt the user for a password through non-echoed stdin. You may also specify your password by using the environment variable CB_REST_PASSWORD.
Secrets are encrypted using a data key file, which is a unique key that is stored on disk for each server. To open this file, the master password is used to generate a key which decrypts the contents of the data key file. The contents of the decrypted data key file can then be used to decrypt secrets. Some users may want to generate a new data key file periodically, to increase security. This option is used to generate a new data key file.
Sets a new master password for the server specified. The user may specify this password on the command line, or through non-echoed stdin. To specify the password through non-echoed stdin, do not provide a value for this option. The user will then be prompted to enter the password.
When specifying a host for the couchbase-cli command the following formats are expected:
It is recommended to use the couchbase://<addr> format for standard installations. The other two formats allow an option to take a port number which is needed for non-default installations where the admin port has been set up on a port other that 8091.
To use the Secret Management feature, the first thing you need to do is set a password on each node of the cluster. To do this, install and start Couchbase, but don’t go through the setup process or initialize the cluster. Once Couchbase has started, run the following command to set the master password for your server.
$ couchbase-cli setting-master-password -c 127.0.0.1 -u Administrator \ -p password --new-password password
Once the master password has been set, you need to set the server environment variable CB_WAIT_FOR_MASTER_PASSWORD=true. You can do this by running the command below, or by setting the variable in your .bashrc file.
$ export CB_WAIT_FOR_MASTER_PASSWORD=true
This environment variable will cause Couchbase to wait for the master password before starting up. Once it is set, you need to restart your cluster. Upon restarting the cluster you will notice that the server doesn’t fully start. This is because it is waiting for you to enter the master password. You can do this by running the command below. The master-password subcommand has to be run locally on the node that is waiting for the master password.
$ couchbase-cli master-password --send-password password
Specifies the username to use when executing the command. This environment variable allows you to specify a default argument for the -u/--username argument on the command line.
Specifies the password of the user executing the command. This environment variable allows you to specify a default argument for the -p/--password argument on the command line. It also allows the user to ensure that their password are not cached in their command line history.
Part of the couchbase-cli suite