Rotate key files in Workbench images

Workbench
Docker
security
Published

March 9, 2026

Abstract

How to remediate Docker container images and cloud marketplace virtual machine (VM) images that shipped with default key files.

Description

Certain Posit Workbench Docker container images and cloud marketplace VM images include default key files that should be unique per deployment. This article describes how to rotate or remove them.

Which approach should I use?

Deployment Load-balanced? Encrypted config? Recommended action
Docker No No Upgrade image
Docker Yes Rotate keys manually
Docker Yes Rotate keys manually
Docker No If you cannot upgrade the image, remove the default key files
Marketplace VM No No Migrate to the latest marketplace image
Marketplace VM Yes Rotate keys manually

Solution

Upgrade to the latest Docker image

The simplest remediation is to pull and run the latest patched image. Workbench generates unique key files on first startup.

Rotate key files manually

Important

This approach applies to any deployment (Docker or VM) that uses load balancing or encrypted configuration values. Even if you upgrade your image to the latest patch version, you must follow these steps to rotate keys and re-encrypt configuration values.

Prerequisites

Before you begin:

  • Rotating the secure-cookie-key invalidates all existing secure cookies; all users will need to sign in again. See Secure cookies.
  • In a load-balanced cluster, all nodes must use the same keys. See Secure cookies.
  • If you use the secure-cookie-key to encrypt configuration values (e.g., database password, OpenID client secret), you must re-encrypt those after rotation. See Encryption versions.

If you are running Docker containers, also follow the steps to remove the default key files for the other auto-generated key files. Then stop Workbench on all nodes.

Generate new keys

On one node, generate new keys:

# Generate new secure-cookie-key
uuidgen -x | tr -d '-' > /etc/rstudio/secure-cookie-key
sudo chmod 0600 /etc/rstudio/secure-cookie-key

# Generate new Launcher certificates
sudo openssl genpkey -algorithm RSA -out /etc/rstudio/launcher.pem -pkeyopt rsa_keygen_bits:2048
sudo openssl rsa -in /etc/rstudio/launcher.pem -pubout > /etc/rstudio/launcher.pub
sudo chmod 0600 /etc/rstudio/launcher.pem

Propagate keys to all nodes

Copy the generated key files to all load-balanced hosts at the same file paths. Ensure permissions are 0600 and owned by the appropriate service user or root. See Key file requirements.

Re-encrypt configuration values

If you have encrypted configuration values (e.g., database password, OpenID client secret), re-encrypt them with the new key:

  1. Encrypt the password:

    # Inside a Docker container
docker run \
    -v /etc/rstudio/secure-cookie-key:/etc/rstudio/secure-cookie-key \
    -it rstudio-workbench:<version> \
    rstudio-server encrypt-password
    # On a VM
rstudio-server encrypt-password

  2. Replace the old encrypted values in the relevant config files with the new output. See Encryption versions.

  3. In a load-balanced setup, copy the updated config files to all other nodes rather than re-running encrypt-password on each. See Encryption versions.

Restart with new keys

For Docker deployments, start Workbench on each node, mounting the key files at runtime:

docker run \
    -v /etc/rstudio/secure-cookie-key:/etc/rstudio/secure-cookie-key \
    -v /etc/rstudio/launcher.pub:/etc/rstudio/launcher.pub \
    -v /etc/rstudio/launcher.pem:/etc/rstudio/launcher.pem \
    rstudio-workbench:<version>

For VM deployments, restart the rstudio-server service instead.

Remove the default key files

This approach applies to a single Docker container that does not use load balancing or encrypted configuration values (e.g., database password, OpenID client secret). Workbench regenerates unique keys on the next startup.

Stop the container:

docker stop <container_name_or_id>

Remove the key files from the image:

# Start a container from the image
docker run -it --name temp-container rstudio-workbench:<version> /bin/sh

# Inside the container, delete key files
rm -f \
  /etc/rstudio/launcher.pem \
  /etc/rstudio/launcher.pub \
  /var/lib/rstudio-server/secure-cookie-key \
  /var/lib/rstudio-server/session-rpc-key

# Exit the container
exit

# Commit changes to a new image (or overwrite the tag)
docker commit temp-container rstudio-workbench:<version>

# Clean up
docker rm temp-container
Warning

This modified image only exists in your local Docker image cache. If deleted, the next pull retrieves the old vulnerable image. For this reason, upgrading to the latest patch release is preferred. These steps are a temporary workaround for those unable to upgrade immediately.

Restart the container:

docker run rstudio-workbench:<version>

If you’re still having issues, you can reach out to Support by opening a ticket.