Keep Octopus Masterkey safe


How do you keep the master key safe from developers who has server access?
Is there away to monitor the master key and the DPAPI key?

Hi @mattias.westlund,

Thanks for getting in touch with us.

To launch the Octopus Manager Server application on the Server you must be an administrator as the User Account Control is shown when you launch it. Like the below:


If someone has RDP access, but not administrator access or access to launch Octopus, then the Master Key is safe. It is in the OctopusServer.config but this is in an encrypted format and you wouldn’t be able to use this to reverse engineer the Master Key.

Generally, as a recommendation though, we advise not to give RDP access to a server that contains Octopus without the user being an administrator.

I expect there would be a way to monitor for Master Key usage but it’s not something we can do, and it would need to be some security scanning tool similar to gitrob` or similar.

Please let me know if you have any questions,

All the best,


This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.