Security Configuration
Ensure your GPT-Load deployment is secure and reliable by following best security practices
Security Overview
GPT-Load provides multi-layer security protection mechanisms, including authentication, data encryption, access control, and more. Properly configuring these security settings is crucial for protecting your AI services.
AUTH_KEY Authentication Key
AUTH_KEY is the authentication key for accessing the GPT-Load admin interface. It must be set to a strong password to protect your system.
Recommend using a random key of at least 32 characters, containing uppercase and lowercase letters, numbers, and special characters. Avoid common words or simple patterns.
Generate Secure Key
Use the following command to generate a strong random key:
openssl rand -base64 32 | tr -d "=+/" | cut -c1-32ENCRYPTION_KEY Data Encryption
ENCRYPTION_KEY is used to encrypt sensitive data (such as API keys) in storage. Enabling encryption prevents keys from being directly obtained if the database is compromised.
Benefits of Enabling Encryption
- API keys are encrypted in the database, unusable even if database is leaked
- Meets enterprise security compliance requirements
- Supports key rotation and re-encryption
- Transparent encryption/decryption with zero performance impact
Data Encryption Migration Steps
Stop Service
GPT-Load service must be stopped before migration
docker compose downBackup Data
Must backup database! Perform backup operations according to the database type you use (SQLite, MySQL, PostgreSQL). Avoid data loss due to operational errors.
Execute Migration Command
Choose the appropriate command based on your deployment method (see Migration Commands for Different Deployments below)
Update Configuration
Set ENCRYPTION_KEY in .env file
echo "ENCRYPTION_KEY=your-32-char-secret-key" >> .envRestart Service
Start service and verify encryption functionality
docker compose up -dMigration Commands for Different Deployments
Docker Compose Deployment
For users deploying with Docker Compose
Enable encryption:
docker compose run --rm gpt-load migrate-keys --to "your-32-char-secret-key"Disable encryption:
docker compose run --rm gpt-load migrate-keys --from "your-current-key"Change key:
docker compose run --rm gpt-load migrate-keys --from "old-key" --to "new-key"Source Deployment (Make)
For users building from source
Enable encryption:
make migrate-keys ARGS="--to your-32-char-secret-key"Disable encryption:
make migrate-keys ARGS="--from your-current-key"Change key:
make migrate-keys ARGS="--from old-key --to new-key"Binary Deployment
For users using compiled binaries
Enable encryption:
./gpt-load migrate-keys --to "your-32-char-secret-key"Disable encryption:
./gpt-load migrate-keys --from "your-current-key"Change key:
./gpt-load migrate-keys --from "old-key" --to "new-key"⚠️ CRITICAL SECURITY WARNING
If ENCRYPTION_KEY is lost, all encrypted API key data will be permanently unrecoverable!
- ⚠️All stored API keys will become unusable
- ⚠️The system will be completely non-functional
- ⚠️Encrypted data cannot be recovered, even with database backups
- ⚠️All API keys must be re-added manually
- ⚠️May cause service interruption and business losses
🔑 You MUST save ENCRYPTION_KEY in multiple secure locations and regularly verify backup validity!
Important Reminders
- • Service must be stopped before migration to avoid data inconsistency
- • Must backup database in case migration fails
- • Ensure ENCRYPTION_KEY matches the key in migration command
- • Lost keys cannot recover encrypted data
Security Best Practices
Regular Key Rotation
Recommend changing AUTH_KEY every 3-6 months to ensure system security
Use Environment Variables
Avoid hardcoding keys in code or config files, use environment variables for management
Enable HTTPS
Production environment must use HTTPS protocol to prevent man-in-the-middle attacks
Restrict Access IPs
Limit admin interface access IPs through firewall or reverse proxy
Monitor Abnormal Logins
Regularly review login logs to detect abnormal access behavior promptly
Backup Encryption Keys
Securely backup ENCRYPTION_KEY to avoid data loss from lost keys
More Resources
Learn more about GPT-Load security configuration