Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/rstudio/rskey/llms.txt

Use this file to discover all available pages before exploring further.

Workbench encrypts passwords using AES-128-CBC, a different algorithm from the NaCl Secretbox default used by Connect and Package Manager. rskey replaces Workbench’s built-in rstudio-server encrypt-password command using --mode=workbench, and it works without a Workbench installation or license. Both of the key formats Workbench accepts are supported.

Key formats

Workbench keys are 32 or more opaque bytes rather than the 512-byte hex-encoded keys used by Connect and Package Manager. Two formats are commonly used:

UUID key

The traditional format. Generated by the system uuid command, this is a 36-character UUID string with a trailing newline. Workbench documentation describes this as the standard way to create a secure-cookie-key.

rskey-generated key

A 512-byte hex-encoded key produced by rskey generate. This format is also accepted by --mode=workbench and works identically.

Encrypt and decrypt secrets

1

Create a key

Use rskey generate to write a new key to the Workbench secure cookie key path:
rskey generate -o /etc/rstudio/secure-cookie-key
chmod 0600 /etc/rstudio/secure-cookie-key
Alternatively, generate a UUID key using the system uuid command:
echo $(uuid) > /etc/rstudio/secure-cookie-key
chmod 0600 /etc/rstudio/secure-cookie-key
2

Encrypt a value

Pass --mode=workbench to use the AES-128-CBC algorithm Workbench expects:
rskey encrypt --mode=workbench -f /etc/rstudio/secure-cookie-key

Type the sensitive data to encrypt, then press Enter:
Type the sensitive data again:
A1B2C3D4AAAABQoJCAcGBQQDAgEA...A1B2C3D4
The output is prefixed and suffixed with the key’s CRC32 fingerprint, which Workbench uses to verify the key before decryption.To encrypt via stdin instead:
echo "my-db-password" | rskey encrypt --mode=workbench -f /etc/rstudio/secure-cookie-key
3

Decrypt a value

Pass the same --mode=workbench flag and supply the ciphertext interactively or on stdin:
rskey decrypt --mode=workbench -f /etc/rstudio/secure-cookie-key
Or via stdin:
echo "A1B2C3D4AAAA..." | rskey decrypt --mode=workbench -f /etc/rstudio/secure-cookie-key
4

Get the key fingerprint

Print the CRC32 fingerprint for a Workbench key. This matches the hash shown in rstudio-server encrypt-password output:
rskey fingerprint --mode=workbench -f /etc/rstudio/secure-cookie-key
# A1B2C3D4

CRC32 fingerprint

The Workbench fingerprint is a CRC32 (IEEE) checksum of the raw key bytes, formatted as an 8-character uppercase hex string. This matches exactly what rstudio-server encrypt-password embeds at the start and end of every encrypted payload. rskey decrypt --mode=workbench checks the embedded fingerprint against the loaded key and returns an error if they do not match, which provides a fast check for key mismatch before attempting decryption.
The fingerprint algorithm for Workbench is CRC32, not SHA-256. This differs from the default fingerprint produced by rskey fingerprint for Connect and Package Manager keys.

Key file security

Anyone who obtains the key file can decrypt all values encrypted with it. Treat the key file as a credential.
  • Set permissions to 0600 so only the owning user (the Workbench service account) can read it.
  • Do not commit the key file to version control.
  • If using a UUID key, remember that UUID values generated without a CSPRNG may have reduced entropy.

Build docs developers (and LLMs) love

Get started for freeTalk to us