0
0
Apache Airflowdevops~10 mins

Variable encryption for secrets in Apache Airflow - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Variable encryption for secrets
Define Secret Variable
Encrypt Variable Value
Store Encrypted Value in Airflow Metadata DB
Retrieve Encrypted Variable
Decrypt Variable Value at Runtime
Use Decrypted Secret in DAG or Task
This flow shows how a secret variable is encrypted before storage and decrypted when used in Airflow.
Execution Sample
Apache Airflow
from airflow.models import Variable

# Set encrypted variable
Variable.set('db_password', 'MySecret123', encrypt=True)

# Get decrypted variable
password = Variable.get('db_password')
This code sets a secret variable with encryption and retrieves it decrypted for use.
Process Table
StepActionInput/ConditionResult/Output
1Call Variable.setkey='db_password', value='MySecret123', encrypt=TrueValue encrypted and stored in metadata DB
2Store encrypted valueEncrypted data savedMetadata DB updated with encrypted secret
3Call Variable.getkey='db_password'Encrypted value retrieved from DB
4Decrypt valueEncrypted data from DBDecrypted value 'MySecret123' returned
5Use decrypted valuepassword variable assignedpassword='MySecret123' ready for DAG use
6EndNo more actionsSecret variable securely handled
💡 All steps complete; secret variable encrypted at rest and decrypted on access
Status Tracker
VariableStartAfter Step 1After Step 3After Step 4Final
db_password (stored)NoneEncrypted dataEncrypted dataEncrypted dataEncrypted data
password (runtime)NoneNoneMySecret123MySecret123MySecret123
Key Moments - 2 Insights
Why do we see encrypted data stored but decrypted data when we get the variable?
Because Airflow encrypts the variable before saving it to the database (step 1 and 2), but decrypts it automatically when you retrieve it (step 4), so you always get the secret in plain text at runtime.
What happens if we set encrypt=False when storing a secret?
The variable is stored as plain text in the metadata database, which is less secure. The execution_table shows encryption only when encrypt=True is used in step 1.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the value of 'password' after step 3?
AEncrypted data
BNone
CMySecret123
DError
💡 Hint
Check the 'password (runtime)' row in variable_tracker after step 3
At which step does Airflow decrypt the secret variable?
AStep 4
BStep 1
CStep 2
DStep 5
💡 Hint
Look at the 'Action' column in execution_table where decryption happens
If we set encrypt=False when storing, how would the stored value change in the execution table?
AValue stored would be encrypted
BValue stored would be plain text
CValue would not be stored
DValue would be deleted
💡 Hint
Refer to key_moments explanation about encrypt=False effect
Concept Snapshot
Airflow Variable Encryption:
- Use Variable.set(key, value, encrypt=True) to store secrets encrypted.
- Encrypted secrets saved in metadata DB.
- Variable.get(key) automatically decrypts secrets at runtime.
- Keeps secrets safe at rest and usable in DAGs.
- Avoid storing secrets without encryption.
Full Transcript
This visual execution shows how Airflow handles secret variables securely. First, when you set a variable with encrypt=True, Airflow encrypts the value before saving it in the metadata database. This protects the secret from being stored in plain text. Later, when you get the variable, Airflow retrieves the encrypted value and decrypts it automatically so your DAG or task can use the secret in plain text. The execution table traces each step from setting to using the secret, and the variable tracker shows how the stored and runtime variables change. Key moments clarify why encryption happens at storage and decryption at retrieval, and what happens if encryption is not used. The quiz tests understanding of these steps. This process ensures your secrets are safe at rest but accessible when needed.