# Rotating Infrastructure Secrets {% hint style="warning" %} This guide is written with the assumption that you're comfortable with the concepts from the [Native Linux Installation Guide](/infrastructure/install-guides/install-on-linux.md). Examples below assume an environment that matches the examples in the linked guide; if your environment differs, some commands may not work as written. {% endhint %} The GRAX Application requires several secret values specified in the environment (normally sourced from `.env`). These include a valid Postgres connection string, an administrator password, and a key base for encryption of the DB-based Secrets Store used for SFDC and storage connection secrets (`SECRET_STORE_BASE`). Rotation of secrets is mostly external to the GRAX Application, with one exception. ## Rotating Database Connection String or Administrator Password To rotate the connection string used to connect to the Postgres database cluster manually, perform the following steps: 1. Stop the GRAX services ```bash $ systemctl disable grax.service; systemctl stop grax.service; ``` 2. Update the configuration source/file with your editor of choice: ```bash $ vim .env [change intended key\'s value to new value and save file] ``` 3. Start the GRAX services ```bash $ systemctl enable grax.service; systemctl start grax.service; ``` If you have interest in automating this behavior, the automation needs to preserve or recreate the other necessary values for the configuration. ## Rotating SECRET\_STORE\_BASE The SECRET\_STORE\_BASE is used to encrypt the SFDC and Storage secrets in the database. Changing this value between reboots without proper care results in these secrets being irrecoverable and the GRAX Application being unable to start properly; a manual reset of configuration information in the database is the only recovery option. If this issue occurs, please contact [GRAX Support](/support/get-support.md) for assistance clearing the configuration. To properly rotate this value, perform the following steps: 1. Stop the GRAX services ```bash $ systemctl disable grax.service; systemctl stop grax.service; ``` 2. Update the `SECRET_STORE_BASE` to the new value with your editor of choice 3. Update the `SECRET_STORE_BASE_PREV` to the previous value with your editor of choice 4. Start the GRAX services ```bash $ systemctl enable grax.service; systemctl start grax.service; ``` At this point, the GRAX Application reads the configuration secrets with the old key and writes them with the new key on first boot. It is not necessary to remove the `SECRET_STORE_BASE_PREV` value from the configuration file. If you desire the removal of the old value, you can do so after the GRAX Application has been started successfully for two minutes; stop the services, update the `.env`, and start the services again. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.grax.com/infrastructure/other/rotating-infrastructure-secrets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.