How exactly does salt rotation work? What is the format?

I’m working on an automated deployment script for Mattermost installations, and want to make sure that each installation has its own salt values.

From what docs/comments I’ve found, the salt is just a 32-char string? In the system console you can regenerate the salt at-will, but what happens if the salt is updated in the config.json between restarts? Is Mattermost able to handle this, or does it do extra work when regenerated via the console?

And all this is also true for the SQL encryption key? How are the previously-encrypted values accessed?


It’s just a randomly generated 32 chars and most if all the salts can be changed on the fly. The only one that should be generated once and never changed is AtRestEncryptKey since it’s used as a bi-di encrypt key. Currently AtRestEncryptKey isn’t used in the product, but it may be used in the future.


It looks like the System Console allows you to regenerate the AtRestEncryptKey with a mysterious "if you do this then some DB columns will return empty" warning message. Should the feature be disable entirely until it’s working? And/or the warning message made more clear about what exactly the impact will be?