Merge branch 'ado-release'

fix(services): show task actions (#6534 )
2022-02-08 20:12:28 +00:00 · 2022-02-09 09:03:47 +13:00 · 2022-02-03 01:11:15 +00:00 · 2022-02-02 20:35:49 -03:00 · 2022-02-02 13:42:19 +13:00 · 2022-02-02 12:32:33 +13:00
476 changed files with 13460 additions and 10292 deletions
--- a/.env.defaults
+++ b/.env.defaults
@@ -0,0 +1 @@
+PORTAINER_EDITION=CE
--- a/.eslintrc.yml
+++ b/.eslintrc.yml
@@ -99,3 +99,7 @@ overrides:
      'jest/globals': true
    rules:
      'react/jsx-no-constructed-context-values': off
+  - files:
+      - app/**/*.stories.*
+    rules:
+      'no-alert': off
--- a/.git-blame-ignore-revs
+++ b/.git-blame-ignore-revs
@@ -0,0 +1,4 @@
+# prettier
+cf5056d9c03b62d91a25c3b9127caac838695f98
+
+# prettier v2 (put here after fix/EE-2344/fix-eslint-issues is merged)
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,41 @@
+name: Lint
+
+on:
+  push:
+    branches:
+      - master
+      - develop
+      - release/*
+  pull_request:
+    branches:
+      - master
+      - develop
+      - release/*
+
+jobs:
+  run-linters:
+    name: Run linters
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out Git repository
+        uses: actions/checkout@v2
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v1
+        with:
+          node-version: 12
+
+      # ESLint and Prettier must be in `package.json`
+      - name: Install Node.js dependencies
+        run: yarn
+
+      - name: Run linters
+        uses: wearerequired/lint-action@v1
+        with:
+          eslint: true
+          eslint_extensions: ts,tsx,js,jsx
+          prettier: true
+          prettier_dir: app/
+          gofmt: true
+          gofmt_dir: api/
--- a/.github/workflows/test-client.yaml
+++ b/.github/workflows/test-client.yaml
@@ -0,0 +1,11 @@
+name: Test Frontend
+on: push
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install modules
+        run: yarn
+      - name: Run tests
+        run: yarn test:client
--- a/.prettierrc
+++ b/.prettierrc
@@ -4,21 +4,16 @@
  "htmlWhitespaceSensitivity": "strict",
  "overrides": [
    {
-      "files": [
-        "*.html"
-      ],
+      "files": ["*.html"],
      "options": {
        "parser": "angular"
      }
    },
    {
-      "files": [
-        "*.{j,t}sx",
-        "*.ts"
-      ],
+      "files": ["*.{j,t}sx", "*.ts"],
      "options": {
        "printWidth": 80
      }
    }
  ]
-}
+}
--- a/.vscode.example/settings.json
+++ b/.vscode.example/settings.json
@@ -1,4 +1,5 @@
 {
  "go.lintTool": "golangci-lint",
-  "go.lintFlags": ["--fast", "-E", "exportloopref"]
+  "go.lintFlags": ["--fast", "-E", "exportloopref"],
+  "gitlens.advanced.blame.customArguments": ["–ignore-revs-file", ".git-blame-ignore-revs"]
 }
--- a/api/backup/backup.go
+++ b/api/backup/backup.go
@@ -80,7 +80,8 @@ func CreateBackupArchive(password string, gate *offlinegate.OfflineGate, datasto
 }

 func backupDb(backupDirPath string, datastore dataservices.DataStore) error {
-	backupWriter, err := os.Create(filepath.Join(backupDirPath, "portainer.db"))
+	dbFileName := datastore.Connection().GetDatabaseFileName()
+	backupWriter, err := os.Create(filepath.Join(backupDirPath, dbFileName))
 	if err != nil {
 		return err
 	}
--- a/api/backup/restore.go
+++ b/api/backup/restore.go
@@ -10,12 +10,13 @@ import (
 	"github.com/pkg/errors"
 	"github.com/portainer/portainer/api/archive"
 	"github.com/portainer/portainer/api/crypto"
+	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/filesystem"
 	"github.com/portainer/portainer/api/http/offlinegate"
 )

-var filesToRestore = append(filesToBackup, "portainer.db")
+var filesToRestore = filesToBackup

 // Restores system state from backup archive, will trigger system shutdown, when finished.
 func RestoreArchive(archive io.Reader, password string, filestorePath string, gate *offlinegate.OfflineGate, datastore dataservices.DataStore, shutdownTrigger context.CancelFunc) error {
@@ -65,5 +66,20 @@ func restoreFiles(srcDir string, destinationDir string) error {
 			return err
 		}
 	}
-	return nil
+
+	// TODO:  This is very boltdb module specific once again due to the filename.  Move to bolt module? Refactor for another day
+
+	// Prevent the possibility of having both databases.  Remove any default new instance
+	os.Remove(filepath.Join(destinationDir, boltdb.DatabaseFileName))
+	os.Remove(filepath.Join(destinationDir, boltdb.EncryptedDatabaseFileName))
+
+	// Now copy the database.  It'll be either portainer.db or portainer.edb
+
+	// Note: CopyPath does not return an error if the source file doesn't exist
+	err := filesystem.CopyPath(filepath.Join(srcDir, boltdb.EncryptedDatabaseFileName), destinationDir)
+	if err != nil {
+		return err
+	}
+
+	return filesystem.CopyPath(filepath.Join(srcDir, boltdb.DatabaseFileName), destinationDir)
 }
--- a/api/cli/cli.go
+++ b/api/cli/cli.go
@@ -50,13 +50,17 @@ func (*Service) ParseFlags(version string) (*portainer.CLIFlags, error) {
 		SSLCert:                   kingpin.Flag("sslcert", "Path to the SSL certificate used to secure the Portainer instance").String(),
 		SSLKey:                    kingpin.Flag("sslkey", "Path to the SSL key used to secure the Portainer instance").String(),
 		Rollback:                  kingpin.Flag("rollback", "Rollback the database store to the previous version").Bool(),
-		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each environment snapshot job").Default(defaultSnapshotInterval).String(),
+		SnapshotInterval:          kingpin.Flag("snapshot-interval", "Duration between each environment snapshot job").String(),
 		AdminPassword:             kingpin.Flag("admin-password", "Hashed admin password").String(),
 		AdminPasswordFile:         kingpin.Flag("admin-password-file", "Path to the file containing the password for the admin user").String(),
 		Labels:                    pairs(kingpin.Flag("hide-label", "Hide containers with a specific label in the UI").Short('l')),
 		Logo:                      kingpin.Flag("logo", "URL for the logo displayed in the UI").String(),
 		Templates:                 kingpin.Flag("templates", "URL to the templates definitions.").Short('t').String(),
 		BaseURL:                   kingpin.Flag("base-url", "Base URL parameter such as portainer if running portainer as http://yourdomain.com/portainer/.").Short('b').Default(defaultBaseURL).String(),
+		InitialMmapSize:           kingpin.Flag("initial-mmap-size", "Initial mmap size of the database in bytes").Int(),
+		MaxBatchSize:              kingpin.Flag("max-batch-size", "Maximum size of a batch").Int(),
+		MaxBatchDelay:             kingpin.Flag("max-batch-delay", "Maximum delay before a batch starts").Duration(),
+		SecretKeyName:             kingpin.Flag("secret-key-name", "Secret key name for encryption and will be used as /run/secrets/<secret-key-name>.").Default(defaultSecretKeyName).String(),
 	}

 	kingpin.Parse()
@@ -125,7 +129,7 @@ func validateEndpointURL(endpointURL string) error {
 }

 func validateSnapshotInterval(snapshotInterval string) error {
-	if snapshotInterval != defaultSnapshotInterval {
+	if snapshotInterval != "" {
 		_, err := time.ParseDuration(snapshotInterval)
 		if err != nil {
 			return errInvalidSnapshotInterval
--- a/api/cli/defaults.go
+++ b/api/cli/defaults.go
@@ -20,6 +20,6 @@ const (
 	defaultSSL                 = "false"
 	defaultSSLCertPath         = "/certs/portainer.crt"
 	defaultSSLKeyPath          = "/certs/portainer.key"
-	defaultSnapshotInterval    = "5m"
 	defaultBaseURL             = "/"
+	defaultSecretKeyName       = "portainer"
 )
--- a/api/cli/defaults_windows.go
+++ b/api/cli/defaults_windows.go
@@ -19,4 +19,5 @@ const (
 	defaultSSLKeyPath          = "C:\\certs\\portainer.key"
 	defaultSnapshotInterval    = "5m"
 	defaultBaseURL             = "/"
+	defaultSecretKeyName       = "portainer"
 )
--- a/api/cmd/portainer/import.go
+++ b/api/cmd/portainer/import.go
@@ -13,7 +13,7 @@ func importFromJson(fileService portainer.FileService, store *datastore.Store) {
 	importFile := "/data/import.json"
 	if exists, _ := fileService.FileExists(importFile); exists {
 		if err := store.Import(importFile); err != nil {
-			logrus.WithError(err).Debugf("import %s failed", importFile)
+			logrus.WithError(err).Debugf("Import %s failed", importFile)

 			// TODO: should really rollback on failure, but then we have nothing.
 		} else {
@@ -23,7 +23,7 @@ func importFromJson(fileService portainer.FileService, store *datastore.Store) {
 		// I also suspect that everything from "Init to Init" is potentially a migration
 		err := store.Init()
 		if err != nil {
-			log.Fatalf("failed initializing data store: %v", err)
+			log.Fatalf("Failed initializing data store: %v", err)
 		}
 	}
 }
--- a/api/cmd/portainer/log.go
+++ b/api/cmd/portainer/log.go
@@ -1,18 +1,41 @@
 package main

 import (
+	"fmt"
 	"log"
+	"strings"

 	"github.com/sirupsen/logrus"
 )

+type portainerFormatter struct {
+	logrus.TextFormatter
+}
+
+func (f *portainerFormatter) Format(entry *logrus.Entry) ([]byte, error) {
+	var levelColor int
+	switch entry.Level {
+	case logrus.DebugLevel, logrus.TraceLevel:
+		levelColor = 31 // gray
+	case logrus.WarnLevel:
+		levelColor = 33 // yellow
+	case logrus.ErrorLevel, logrus.FatalLevel, logrus.PanicLevel:
+		levelColor = 31 // red
+	default:
+		levelColor = 36 // blue
+	}
+	return []byte(fmt.Sprintf("\x1b[%dm%s\x1b[0m %s %s\n", levelColor, strings.ToUpper(entry.Level.String()), entry.Time.Format(f.TimestampFormat), entry.Message)), nil
+}
+
 func configureLogger() {
 	logger := logrus.New() // logger is to implicitly substitute stdlib's log
 	log.SetOutput(logger.Writer())

 	formatter := &logrus.TextFormatter{DisableTimestamp: true, DisableLevelTruncation: true}
+	formatterLogrus := &portainerFormatter{logrus.TextFormatter{DisableTimestamp: false, DisableLevelTruncation: true, TimestampFormat: "2006/01/02 15:04:05", FullTimestamp: true}}
+
 	logger.SetFormatter(formatter)
-	logrus.SetFormatter(formatter)
+	logrus.SetFormatter(formatterLogrus)

 	logger.SetLevel(logrus.DebugLevel)
 	logrus.SetLevel(logrus.DebugLevel)
--- a/api/cmd/portainer/main.go
+++ b/api/cmd/portainer/main.go
@@ -2,13 +2,12 @@ package main

 import (
 	"context"
+	"crypto/sha256"
 	"fmt"
-	"log"
 	"os"
 	"path"
 	"strconv"
 	"strings"
-	"time"

 	"github.com/sirupsen/logrus"

@@ -19,6 +18,7 @@ import (
 	"github.com/portainer/portainer/api/cli"
 	"github.com/portainer/portainer/api/crypto"
 	"github.com/portainer/portainer/api/database"
+	"github.com/portainer/portainer/api/database/boltdb"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/datastore"
 	"github.com/portainer/portainer/api/docker"
@@ -47,12 +47,12 @@ func initCLI() *portainer.CLIFlags {
 	var cliService portainer.CLIService = &cli.Service{}
 	flags, err := cliService.ParseFlags(portainer.APIVersion)
 	if err != nil {
-		log.Fatalf("failed parsing flags: %v", err)
+		logrus.Fatalf("Failed parsing flags: %v", err)
 	}

 	err = cliService.ValidateFlags(flags)
 	if err != nil {
-		log.Fatalf("failed validating flags:%v", err)
+		logrus.Fatalf("Failed validating flags:%v", err)
 	}
 	return flags
 }
@@ -60,99 +60,88 @@ func initCLI() *portainer.CLIFlags {
 func initFileService(dataStorePath string) portainer.FileService {
 	fileService, err := filesystem.NewService(dataStorePath, "")
 	if err != nil {
-		log.Fatalf("failed creating file service: %v", err)
+		logrus.Fatalf("Failed creating file service: %v", err)
 	}
 	return fileService
 }

-func initDataStore(flags *portainer.CLIFlags, fileService portainer.FileService, shutdownCtx context.Context) dataservices.DataStore {
-	connection, err := database.NewDatabase("boltdb", *flags.Data)
+func initDataStore(flags *portainer.CLIFlags, secretKey []byte, fileService portainer.FileService, shutdownCtx context.Context) dataservices.DataStore {
+	connection, err := database.NewDatabase("boltdb", *flags.Data, secretKey)
 	if err != nil {
-		panic(err)
+		logrus.Fatalf("failed creating database connection: %s", err)
 	}
+
+	if bconn, ok := connection.(*boltdb.DbConnection); ok {
+		bconn.MaxBatchSize = *flags.MaxBatchSize
+		bconn.MaxBatchDelay = *flags.MaxBatchDelay
+		bconn.InitialMmapSize = *flags.InitialMmapSize
+	} else {
+		logrus.Fatalf("failed creating database connection: expecting a boltdb database type but a different one was received")
+	}
+
 	store := datastore.NewStore(*flags.Data, fileService, connection)
 	isNew, err := store.Open()
 	if err != nil {
-		log.Fatalf("failed opening store: %v", err)
+		logrus.Fatalf("Failed opening store: %v", err)
 	}

 	if *flags.Rollback {
 		err := store.Rollback(false)
 		if err != nil {
-			log.Fatalf("failed rolling back: %s", err)
+			logrus.Fatalf("Failed rolling back: %v", err)
 		}

-		log.Println("Exiting rollback")
+		logrus.Println("Exiting rollback")
 		os.Exit(0)
 		return nil
 	}

-	// Init sets some defaults - its basically a migration
+	// Init sets some defaults - it's basically a migration
 	err = store.Init()
 	if err != nil {
-		log.Fatalf("failed initializing data store: %v", err)
+		logrus.Fatalf("Failed initializing data store: %v", err)
 	}

 	if isNew {
 		// from MigrateData
 		store.VersionService.StoreDBVersion(portainer.DBVersion)
-
-		// Disabled for now.  Can't use feature flags due to the way that works
-		// EXPERIMENTAL, will only activate if `/data/import.json` exists
-		//importFromJson(fileService, store)
-
-		err := updateSettingsFromFlags(store, flags)
+	} else {
+		storedVersion, err := store.VersionService.DBVersion()
 		if err != nil {
-			log.Fatalf("failed updating settings from flags: %v", err)
+			logrus.Fatalf("Something Failed during creation of new database: %v", err)
+		}
+		if storedVersion != portainer.DBVersion {
+			err = store.MigrateData()
+			if err != nil {
+				logrus.Fatalf("Failed migration: %v", err)
+			}
 		}
 	}

-	storedVersion, err := store.VersionService.DBVersion()
+	err = updateSettingsFromFlags(store, flags)
 	if err != nil {
-		log.Fatalf("Something failed during creation of new database: %v", err)
-	}
-	if storedVersion != portainer.DBVersion {
-		err = store.MigrateData()
-		if err != nil {
-			log.Fatalf("failed migration: %v", err)
-		}
+		logrus.Fatalf("Failed updating settings from flags: %v", err)
 	}

 	// this is for the db restore functionality - needs more tests.
 	go func() {
 		<-shutdownCtx.Done()
 		defer connection.Close()
-
-		exportFilename := path.Join(*flags.Data, fmt.Sprintf("export-%d.json", time.Now().Unix()))
-
-		err := store.Export(exportFilename)
-		if err != nil {
-			logrus.WithError(err).Debugf("failed to export to %s", exportFilename)
-		} else {
-			logrus.Debugf("exported to %s", exportFilename)
-		}
-		connection.Close()
 	}()
+
 	return store
 }

 func initComposeStackManager(assetsPath string, configPath string, reverseTunnelService portainer.ReverseTunnelService, proxyManager *proxy.Manager) portainer.ComposeStackManager {
 	composeWrapper, err := exec.NewComposeStackManager(assetsPath, configPath, proxyManager)
 	if err != nil {
-		log.Fatalf("failed creating compose manager: %s", err)
+		logrus.Fatalf("Failed creating compose manager: %v", err)
 	}

 	return composeWrapper
 }

-func initSwarmStackManager(
-	assetsPath string,
-	configPath string,
-	signatureService portainer.DigitalSignatureService,
-	fileService portainer.FileService,
-	reverseTunnelService portainer.ReverseTunnelService,
-	dataStore dataservices.DataStore,
-) (portainer.SwarmStackManager, error) {
+func initSwarmStackManager(assetsPath string, configPath string, signatureService portainer.DigitalSignatureService, fileService portainer.FileService, reverseTunnelService portainer.ReverseTunnelService, dataStore dataservices.DataStore) (portainer.SwarmStackManager, error) {
 	return exec.NewSwarmStackManager(assetsPath, configPath, signatureService, fileService, reverseTunnelService, dataStore)
 }

@@ -221,11 +210,11 @@ func initKubernetesClientFactory(signatureService portainer.DigitalSignatureServ
 	return kubecli.NewClientFactory(signatureService, reverseTunnelService, instanceID, dataStore)
 }

-func initSnapshotService(snapshotInterval string, dataStore dataservices.DataStore, dockerClientFactory *docker.ClientFactory, kubernetesClientFactory *kubecli.ClientFactory, shutdownCtx context.Context) (portainer.SnapshotService, error) {
+func initSnapshotService(snapshotIntervalFromFlag string, dataStore dataservices.DataStore, dockerClientFactory *docker.ClientFactory, kubernetesClientFactory *kubecli.ClientFactory, shutdownCtx context.Context) (portainer.SnapshotService, error) {
 	dockerSnapshotter := docker.NewSnapshotter(dockerClientFactory)
 	kubernetesSnapshotter := kubernetes.NewSnapshotter(kubernetesClientFactory)

-	snapshotService, err := snapshot.NewService(snapshotInterval, dataStore, dockerSnapshotter, kubernetesSnapshotter, shutdownCtx)
+	snapshotService, err := snapshot.NewService(snapshotIntervalFromFlag, dataStore, dockerSnapshotter, kubernetesSnapshotter, shutdownCtx)
 	if err != nil {
 		return nil, err
 	}
@@ -246,11 +235,17 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		return err
 	}

-	settings.LogoURL = *flags.Logo
-	settings.SnapshotInterval = *flags.SnapshotInterval
-	settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
-	settings.EnableTelemetry = true
-	settings.OAuthSettings.SSO = true
+	if *flags.SnapshotInterval != "" {
+		settings.SnapshotInterval = *flags.SnapshotInterval
+	}
+
+	if *flags.Logo != "" {
+		settings.LogoURL = *flags.Logo
+	}
+
+	if *flags.EnableEdgeComputeFeatures {
+		settings.EnableEdgeComputeFeatures = *flags.EnableEdgeComputeFeatures
+	}

 	if *flags.Templates != "" {
 		settings.TemplatesURL = *flags.Templates
@@ -272,8 +267,8 @@ func updateSettingsFromFlags(dataStore dataservices.DataStore, flags *portainer.

 	if *flags.HTTPDisabled {
 		sslSettings.HTTPEnabled = false
-	} else {
-		sslSettings.HTTPEnabled = *flags.HTTPEnabled || sslSettings.HTTPEnabled
+	} else if *flags.HTTPEnabled {
+		sslSettings.HTTPEnabled = true
 	}

 	err = dataStore.SSLSettings().UpdateSettings(sslSettings)
@@ -316,9 +311,9 @@ func enableFeaturesFromFlags(dataStore dataservices.DataStore, flags *portainer.
 		}

 		if featureState {
-			log.Printf("Feature %v : on", *correspondingFeature)
+			logrus.Printf("Feature %v : on", *correspondingFeature)
 		} else {
-			log.Printf("Feature %v : off", *correspondingFeature)
+			logrus.Printf("Feature %v : off", *correspondingFeature)
 		}

 		settings.FeatureFlagSettings[*correspondingFeature] = featureState
@@ -347,7 +342,7 @@ func generateAndStoreKeyPair(fileService portainer.FileService, signatureService
 func initKeyPair(fileService portainer.FileService, signatureService portainer.DigitalSignatureService) error {
 	existingKeyPair, err := fileService.KeyPairFilesExist()
 	if err != nil {
-		log.Fatalf("failed checking for existing key pair: %v", err)
+		logrus.Fatalf("Failed checking for existing key pair: %v", err)
 	}

 	if existingKeyPair {
@@ -418,7 +413,7 @@ func createTLSSecuredEndpoint(flags *portainer.CLIFlags, dataStore dataservices.

 	err := snapshotService.SnapshotEndpoint(endpoint)
 	if err != nil {
-		log.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+		logrus.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 	}

 	return dataStore.Endpoint().Create(endpoint)
@@ -464,7 +459,7 @@ func createUnsecuredEndpoint(endpointURL string, dataStore dataservices.DataStor

 	err := snapshotService.SnapshotEndpoint(endpoint)
 	if err != nil {
-		log.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
+		logrus.Printf("http error: environment snapshot error (environment=%s, URL=%s) (err=%s)\n", endpoint.Name, endpoint.URL, err)
 	}

 	return dataStore.Endpoint().Create(endpoint)
@@ -481,7 +476,7 @@ func initEndpoint(flags *portainer.CLIFlags, dataStore dataservices.DataStore, s
 	}

 	if len(endpoints) > 0 {
-		log.Println("Instance already has defined environments. Skipping the environment defined via CLI.")
+		logrus.Println("Instance already has defined environments. Skipping the environment defined via CLI.")
 		return nil
 	}

@@ -491,59 +486,80 @@ func initEndpoint(flags *portainer.CLIFlags, dataStore dataservices.DataStore, s
 	return createUnsecuredEndpoint(*flags.EndpointURL, dataStore, snapshotService)
 }

+func loadEncryptionSecretKey(keyfilename string) []byte {
+	content, err := os.ReadFile(path.Join("/run/secrets", keyfilename))
+	if err != nil {
+		if os.IsNotExist(err) {
+			logrus.Printf("Encryption key file `%s` not present", keyfilename)
+		} else {
+			logrus.Printf("Error reading encryption key file: %v", err)
+		}
+
+		return nil
+	}
+
+	// return a 32 byte hash of the secret (required for AES)
+	hash := sha256.Sum256(content)
+	return hash[:]
+}
+
 func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	shutdownCtx, shutdownTrigger := context.WithCancel(context.Background())

 	fileService := initFileService(*flags.Data)
+	encryptionKey := loadEncryptionSecretKey(*flags.SecretKeyName)
+	if encryptionKey == nil {
+		logrus.Println("Proceeding without encryption key")
+	}

-	dataStore := initDataStore(flags, fileService, shutdownCtx)
+	dataStore := initDataStore(flags, encryptionKey, fileService, shutdownCtx)

 	if err := dataStore.CheckCurrentEdition(); err != nil {
-		log.Fatal(err)
+		logrus.Fatal(err)
 	}
 	instanceID, err := dataStore.Version().InstanceID()
 	if err != nil {
-		log.Fatalf("failed getting instance id: %v", err)
+		logrus.Fatalf("Failed getting instance id: %v", err)
 	}

 	apiKeyService := initAPIKeyService(dataStore)

 	settings, err := dataStore.Settings().Settings()
 	if err != nil {
-		log.Fatal(err)
+		logrus.Fatal(err)
 	}
 	jwtService, err := initJWTService(settings.UserSessionTimeout, dataStore)
 	if err != nil {
-		log.Fatalf("failed initializing JWT service: %v", err)
+		logrus.Fatalf("Failed initializing JWT service: %v", err)
 	}

 	err = enableFeaturesFromFlags(dataStore, flags)
 	if err != nil {
-		log.Fatalf("failed enabling feature flag: %v", err)
+		logrus.Fatalf("Failed enabling feature flag: %v", err)
 	}

 	ldapService := initLDAPService()
 	oauthService := initOAuthService()
 	gitService := initGitService()

-	openAMTService := openamt.NewService(dataStore)
+	openAMTService := openamt.NewService()

 	cryptoService := initCryptoService()
 	digitalSignatureService := initDigitalSignatureService()

 	sslService, err := initSSLService(*flags.AddrHTTPS, *flags.Data, *flags.SSLCert, *flags.SSLKey, fileService, dataStore, shutdownTrigger)
 	if err != nil {
-		log.Fatal(err)
+		logrus.Fatal(err)
 	}

 	sslSettings, err := sslService.GetSSLSettings()
 	if err != nil {
-		log.Fatalf("failed to get ssl settings: %s", err)
+		logrus.Fatalf("Failed to get ssl settings: %s", err)
 	}

 	err = initKeyPair(fileService, digitalSignatureService)
 	if err != nil {
-		log.Fatalf("failed initializing key pair: %v", err)
+		logrus.Fatalf("Failed initializing key pair: %v", err)
 	}

 	reverseTunnelService := chisel.NewService(dataStore, shutdownCtx)
@@ -553,7 +569,7 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	snapshotService, err := initSnapshotService(*flags.SnapshotInterval, dataStore, dockerClientFactory, kubernetesClientFactory, shutdownCtx)
 	if err != nil {
-		log.Fatalf("failed initializing snapshot service: %v", err)
+		logrus.Fatalf("Failed initializing snapshot service: %v", err)
 	}
 	snapshotService.Start()

@@ -574,37 +590,37 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {

 	swarmStackManager, err := initSwarmStackManager(*flags.Assets, dockerConfigPath, digitalSignatureService, fileService, reverseTunnelService, dataStore)
 	if err != nil {
-		log.Fatalf("failed initializing swarm stack manager: %s", err)
+		logrus.Fatalf("Failed initializing swarm stack manager: %v", err)
 	}

 	kubernetesDeployer := initKubernetesDeployer(kubernetesTokenCacheManager, kubernetesClientFactory, dataStore, reverseTunnelService, digitalSignatureService, proxyManager, *flags.Assets)

 	helmPackageManager, err := initHelmPackageManager(*flags.Assets)
 	if err != nil {
-		log.Fatalf("failed initializing helm package manager: %s", err)
+		logrus.Fatalf("Failed initializing helm package manager: %v", err)
 	}

 	err = edge.LoadEdgeJobs(dataStore, reverseTunnelService)
 	if err != nil {
-		log.Fatalf("failed loading edge jobs from database: %v", err)
+		logrus.Fatalf("Failed loading edge jobs from database: %v", err)
 	}

 	applicationStatus := initStatus(instanceID)

 	err = initEndpoint(flags, dataStore, snapshotService)
 	if err != nil {
-		log.Fatalf("failed initializing environment: %v", err)
+		logrus.Fatalf("Failed initializing environment: %v", err)
 	}

 	adminPasswordHash := ""
 	if *flags.AdminPasswordFile != "" {
 		content, err := fileService.GetFileContent(*flags.AdminPasswordFile, "")
 		if err != nil {
-			log.Fatalf("failed getting admin password file: %v", err)
+			logrus.Fatalf("Failed getting admin password file: %v", err)
 		}
 		adminPasswordHash, err = cryptoService.Hash(strings.TrimSuffix(string(content), "\n"))
 		if err != nil {
-			log.Fatalf("failed hashing admin password: %v", err)
+			logrus.Fatalf("Failed hashing admin password: %v", err)
 		}
 	} else if *flags.AdminPassword != "" {
 		adminPasswordHash = *flags.AdminPassword
@@ -613,11 +629,11 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 	if adminPasswordHash != "" {
 		users, err := dataStore.User().UsersByRole(portainer.AdministratorRole)
 		if err != nil {
-			log.Fatalf("failed getting admin user: %v", err)
+			logrus.Fatalf("Failed getting admin user: %v", err)
 		}

 		if len(users) == 0 {
-			log.Println("Created admin user with the given password.")
+			logrus.Println("Created admin user with the given password.")
 			user := &portainer.User{
 				Username: "admin",
 				Role:     portainer.AdministratorRole,
@@ -625,21 +641,21 @@ func buildServer(flags *portainer.CLIFlags) portainer.Server {
 			}
 			err := dataStore.User().Create(user)
 			if err != nil {
-				log.Fatalf("failed creating admin user: %v", err)
+				logrus.Fatalf("Failed creating admin user: %v", err)
 			}
 		} else {
-			log.Println("Instance already has an administrator user defined. Skipping admin password related flags.")
+			logrus.Println("Instance already has an administrator user defined. Skipping admin password related flags.")
 		}
 	}

 	err = reverseTunnelService.StartTunnelServer(*flags.TunnelAddr, *flags.TunnelPort, snapshotService)
 	if err != nil {
-		log.Fatalf("failed starting tunnel server: %s", err)
+		logrus.Fatalf("Failed starting tunnel server: %v", err)
 	}

 	sslDBSettings, err := dataStore.SSLSettings().Settings()
 	if err != nil {
-		log.Fatalf("failed to fetch ssl settings from DB")
+		logrus.Fatalf("Failed to fetch ssl settings from DB")
 	}

 	scheduler := scheduler.NewScheduler(shutdownCtx)
@@ -690,8 +706,8 @@ func main() {

 	for {
 		server := buildServer(flags)
-		log.Printf("[INFO] [cmd,main] Starting Portainer version %s\n", portainer.APIVersion)
+		logrus.Printf("[INFO] [cmd,main] Starting Portainer version %s\n", portainer.APIVersion)
 		err := server.Start()
-		log.Printf("[INFO] [cmd,main] Http server exited: %s\n", err)
+		logrus.Printf("[INFO] [cmd,main] Http server exited: %v\n", err)
 	}
 }
--- a/api/cmd/portainer/main_test.go
+++ b/api/cmd/portainer/main_test.go
@@ -29,11 +29,6 @@ func Test_enableFeaturesFromFlags(t *testing.T) {
 		isSupported bool
 	}{
 		{"test", false},
-		{"openamt", false},
-		{"open-amt", true},
-		{"oPeN-amT", true},
-		{"fdo", true},
-		{"FDO", true},
 	}
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s succeeds:%v", test.featureFlag, test.isSupported), func(t *testing.T) {
--- a/api/connection.go
+++ b/api/connection.go
@@ -11,14 +11,16 @@ type Connection interface {
 	// write the db contents to filename as json (the schema needs defining)
 	ExportRaw(filename string) error

-	//Rollback(force bool) error
-	//MigrateData(migratorParams *database.MigratorParameters, force bool) error
-
 	// TODO: this one is very database specific atm
 	BackupTo(w io.Writer) error
-	GetDatabaseFilename() string
+	GetDatabaseFileName() string
+	GetDatabaseFilePath() string
 	GetStorePath() string

+	IsEncryptedStore() bool
+	NeedsEncryptionMigration() (bool, error)
+	SetEncrypted(encrypted bool)
+
 	SetServiceName(bucketName string) error
 	GetObject(bucketName string, key []byte, object interface{}) error
 	UpdateObject(bucketName string, key []byte, object interface{}) error
--- a/api/database/boltdb/db.go
+++ b/api/database/boltdb/db.go
@@ -2,6 +2,7 @@ package boltdb

 import (
 	"encoding/binary"
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -10,44 +11,128 @@ import (
 	"time"

 	"github.com/boltdb/bolt"
-	"github.com/portainer/portainer/api/dataservices/errors"
+	dserrors "github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/sirupsen/logrus"
 )

 const (
-	DatabaseFileName = "portainer.db"
+	DatabaseFileName          = "portainer.db"
+	EncryptedDatabaseFileName = "portainer.edb"
+)
+
+var (
+	ErrHaveEncryptedAndUnencrypted = errors.New("Portainer has detected both an encrypted and un-encrypted database and cannot start.  Only one database should exist")
+	ErrHaveEncryptedWithNoKey      = errors.New("The portainer database is encrypted, but no secret was loaded")
 )

 type DbConnection struct {
-	Path string
+	Path            string
+	MaxBatchSize    int
+	MaxBatchDelay   time.Duration
+	InitialMmapSize int
+	EncryptionKey   []byte
+	isEncrypted     bool

 	*bolt.DB
 }

-func (connection *DbConnection) GetDatabaseFilename() string {
+// GetDatabaseFileName get the database filename
+func (connection *DbConnection) GetDatabaseFileName() string {
+	if connection.IsEncryptedStore() {
+		return EncryptedDatabaseFileName
+	}
+
 	return DatabaseFileName
 }

+// GetDataseFilePath get the path + filename for the database file
+func (connection *DbConnection) GetDatabaseFilePath() string {
+	if connection.IsEncryptedStore() {
+		return path.Join(connection.Path, EncryptedDatabaseFileName)
+	}
+
+	return path.Join(connection.Path, DatabaseFileName)
+}
+
+// GetStorePath get the filename and path for the database file
 func (connection *DbConnection) GetStorePath() string {
 	return connection.Path
 }

+func (connection *DbConnection) SetEncrypted(flag bool) {
+	connection.isEncrypted = flag
+}
+
+// Return true if the database is encrypted
+func (connection *DbConnection) IsEncryptedStore() bool {
+	return connection.getEncryptionKey() != nil
+}
+
+// NeedsEncryptionMigration returns true if database encryption is enabled and
+// we have an un-encrypted DB that requires migration to an encrypted DB
+func (connection *DbConnection) NeedsEncryptionMigration() (bool, error) {
+
+	// Cases:  Note, we need to check both portainer.db and portainer.edb
+	// to determine if it's a new store.   We only need to differentiate between cases 2,3 and 5
+
+	// 1) portainer.edb + key     => False
+	// 2) portainer.edb + no key  => ERROR Fatal!
+	// 3) portainer.db  + key     => True  (needs migration)
+	// 4) portainer.db  + no key  => False
+	// 5) NoDB (new)    + key     => False
+	// 6) NoDB (new)    + no key  => False
+	// 7) portainer.db & portainer.edb => ERROR Fatal!
+
+	// If we have a loaded encryption key, always set encrypted
+	if connection.EncryptionKey != nil {
+		connection.SetEncrypted(true)
+	}
+
+	// Check for portainer.db
+	dbFile := path.Join(connection.Path, DatabaseFileName)
+	_, err := os.Stat(dbFile)
+	haveDbFile := err == nil
+
+	// Check for portainer.edb
+	edbFile := path.Join(connection.Path, EncryptedDatabaseFileName)
+	_, err = os.Stat(edbFile)
+	haveEdbFile := err == nil
+
+	if haveDbFile && haveEdbFile {
+		// 7 - encrypted and unencrypted db?
+		return false, ErrHaveEncryptedAndUnencrypted
+	}
+
+	if haveDbFile && connection.EncryptionKey != nil {
+		// 3 - needs migration
+		return true, nil
+	}
+
+	if haveEdbFile && connection.EncryptionKey == nil {
+		// 2 - encrypted db, but no key?
+		return false, ErrHaveEncryptedWithNoKey
+	}
+
+	// 1, 4, 5, 6
+	return false, nil
+}
+
 // Open opens and initializes the BoltDB database.
 func (connection *DbConnection) Open() error {

-	// Disabled for now.  Can't use feature flags due to the way that works
-	// databaseExportPath := path.Join(connection.Path, fmt.Sprintf("raw-%s-%d.json", DatabaseFileName, time.Now().Unix()))
-	// if err := connection.ExportRaw(databaseExportPath); err != nil {
-	// 	log.Printf("raw export to %s error: %s", databaseExportPath, err)
-	// } else {
-	// 	log.Printf("raw export to %s success", databaseExportPath)
-	// }
+	logrus.Infof("Loading PortainerDB: %s", connection.GetDatabaseFileName())

-	databasePath := path.Join(connection.Path, DatabaseFileName)
-
-	db, err := bolt.Open(databasePath, 0600, &bolt.Options{Timeout: 1 * time.Second})
+	// Now we open the db
+	databasePath := connection.GetDatabaseFilePath()
+	db, err := bolt.Open(databasePath, 0600, &bolt.Options{
+		Timeout:         1 * time.Second,
+		InitialMmapSize: connection.InitialMmapSize,
+	})
 	if err != nil {
 		return err
 	}
+	db.MaxBatchSize = connection.MaxBatchSize
+	db.MaxBatchDelay = connection.MaxBatchDelay
 	connection.DB = db
 	return nil
 }
@@ -71,12 +156,12 @@ func (connection *DbConnection) BackupTo(w io.Writer) error {
 }

 func (connection *DbConnection) ExportRaw(filename string) error {
-	databasePath := path.Join(connection.Path, DatabaseFileName)
+	databasePath := connection.GetDatabaseFilePath()
 	if _, err := os.Stat(databasePath); err != nil {
 		return fmt.Errorf("stat on %s failed: %s", databasePath, err)
 	}

-	b, err := exportJson(databasePath)
+	b, err := connection.exportJson(databasePath)
 	if err != nil {
 		return err
 	}
@@ -94,7 +179,7 @@ func (connection *DbConnection) ConvertToKey(v int) []byte {

 // CreateBucket is a generic function used to create a bucket inside a database database.
 func (connection *DbConnection) SetServiceName(bucketName string) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		_, err := tx.CreateBucketIfNotExists([]byte(bucketName))
 		if err != nil {
 			return err
@@ -112,7 +197,7 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object

 		value := bucket.Get(key)
 		if value == nil {
-			return errors.ErrObjectNotFound
+			return dserrors.ErrObjectNotFound
 		}

 		data = make([]byte, len(value))
@@ -124,31 +209,33 @@ func (connection *DbConnection) GetObject(bucketName string, key []byte, object
 		return err
 	}

-	return UnmarshalObject(data, object)
+	return connection.UnmarshalObjectWithJsoniter(data, object)
+}
+
+func (connection *DbConnection) getEncryptionKey() []byte {
+	if !connection.isEncrypted {
+		return nil
+	}
+
+	return connection.EncryptionKey
 }

 // UpdateObject is a generic function used to update an object inside a database database.
 func (connection *DbConnection) UpdateObject(bucketName string, key []byte, object interface{}) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	data, err := connection.MarshalObject(object)
+	if err != nil {
+		return err
+	}
+
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
-
-		data, err := MarshalObject(object)
-		if err != nil {
-			return err
-		}
-
-		err = bucket.Put(key, data)
-		if err != nil {
-			return err
-		}
-
-		return nil
+		return bucket.Put(key, data)
 	})
 }

 // DeleteObject is a generic function used to delete an object inside a database database.
 func (connection *DbConnection) DeleteObject(bucketName string, key []byte) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
 		return bucket.Delete(key)
 	})
@@ -157,13 +244,13 @@ func (connection *DbConnection) DeleteObject(bucketName string, key []byte) erro
 // DeleteAllObjects delete all objects where matching() returns (id, ok).
 // TODO: think about how to return the error inside (maybe change ok to type err, and use "notfound"?
 func (connection *DbConnection) DeleteAllObjects(bucketName string, matching func(o interface{}) (id int, ok bool)) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))

 		cursor := bucket.Cursor()
 		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
 			var obj interface{}
-			err := UnmarshalObject(v, &obj)
+			err := connection.UnmarshalObject(v, &obj)
 			if err != nil {
 				return err
 			}
@@ -184,7 +271,7 @@ func (connection *DbConnection) DeleteAllObjects(bucketName string, matching fun
 func (connection *DbConnection) GetNextIdentifier(bucketName string) int {
 	var identifier int

-	connection.Update(func(tx *bolt.Tx) error {
+	connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
 		id, err := bucket.NextSequence()
 		if err != nil {
@@ -199,13 +286,13 @@ func (connection *DbConnection) GetNextIdentifier(bucketName string) int {

 // CreateObject creates a new object in the bucket, using the next bucket sequence id
 func (connection *DbConnection) CreateObject(bucketName string, fn func(uint64) (int, interface{})) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))

 		seqId, _ := bucket.NextSequence()
 		id, obj := fn(seqId)

-		data, err := MarshalObject(obj)
+		data, err := connection.MarshalObject(obj)
 		if err != nil {
 			return err
 		}
@@ -216,10 +303,9 @@ func (connection *DbConnection) CreateObject(bucketName string, fn func(uint64)

 // CreateObjectWithId creates a new object in the bucket, using the specified id
 func (connection *DbConnection) CreateObjectWithId(bucketName string, id int, obj interface{}) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
-
-		data, err := MarshalObject(obj)
+		data, err := connection.MarshalObject(obj)
 		if err != nil {
 			return err
 		}
@@ -231,7 +317,7 @@ func (connection *DbConnection) CreateObjectWithId(bucketName string, id int, ob
 // CreateObjectWithSetSequence creates a new object in the bucket, using the specified id, and sets the bucket sequence
 // avoid this :)
 func (connection *DbConnection) CreateObjectWithSetSequence(bucketName string, id int, obj interface{}) error {
-	return connection.Update(func(tx *bolt.Tx) error {
+	return connection.Batch(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))

 		// We manually manage sequences for schedules
@@ -240,7 +326,7 @@ func (connection *DbConnection) CreateObjectWithSetSequence(bucketName string, i
 			return err
 		}

-		data, err := MarshalObject(obj)
+		data, err := connection.MarshalObject(obj)
 		if err != nil {
 			return err
 		}
@@ -252,10 +338,9 @@ func (connection *DbConnection) CreateObjectWithSetSequence(bucketName string, i
 func (connection *DbConnection) GetAll(bucketName string, obj interface{}, append func(o interface{}) (interface{}, error)) error {
 	err := connection.View(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket([]byte(bucketName))
-
 		cursor := bucket.Cursor()
 		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			err := UnmarshalObject(v, obj)
+			err := connection.UnmarshalObject(v, obj)
 			if err != nil {
 				return err
 			}
@@ -277,7 +362,7 @@ func (connection *DbConnection) GetAllWithJsoniter(bucketName string, obj interf

 		cursor := bucket.Cursor()
 		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
-			err := UnmarshalObjectWithJsoniter(v, obj)
+			err := connection.UnmarshalObjectWithJsoniter(v, obj)
 			if err != nil {
 				return err
 			}
--- a/api/database/boltdb/db_test.go
+++ b/api/database/boltdb/db_test.go
@@ -0,0 +1,124 @@
+package boltdb
+
+import (
+	"os"
+	"path"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func Test_NeedsEncryptionMigration(t *testing.T) {
+	// Test the specific scenarios mentioned in NeedsEncryptionMigration
+
+	// i.e.
+	// Cases:  Note, we need to check both portainer.db and portainer.edb
+	// to determine if it's a new store.   We only need to differentiate between cases 2,3 and 5
+
+	// 1) portainer.edb + key     => False
+	// 2) portainer.edb + no key  => ERROR Fatal!
+	// 3) portainer.db  + key     => True  (needs migration)
+	// 4) portainer.db  + no key  => False
+	// 5) NoDB (new)    + key     => False
+	// 6) NoDB (new)    + no key  => False
+	// 7) portainer.db & portainer.edb (key not important) => ERROR Fatal!
+
+	is := assert.New(t)
+	dir := t.TempDir()
+
+	cases := []struct {
+		name         string
+		dbname       string
+		key          bool
+		expectError  error
+		expectResult bool
+	}{
+		{
+			name:         "portainer.edb + key",
+			dbname:       EncryptedDatabaseFileName,
+			key:          true,
+			expectError:  nil,
+			expectResult: false,
+		},
+		{
+			name:         "portainer.db + key (migration needed)",
+			dbname:       DatabaseFileName,
+			key:          true,
+			expectError:  nil,
+			expectResult: true,
+		},
+		{
+			name:         "portainer.db + no key",
+			dbname:       DatabaseFileName,
+			key:          false,
+			expectError:  nil,
+			expectResult: false,
+		},
+		{
+			name:         "NoDB (new) + key",
+			dbname:       "",
+			key:          false,
+			expectError:  nil,
+			expectResult: false,
+		},
+		{
+			name:         "NoDB (new) + no key",
+			dbname:       "",
+			key:          false,
+			expectError:  nil,
+			expectResult: false,
+		},
+
+		// error tests
+		{
+			name:         "portainer.edb + no key",
+			dbname:       EncryptedDatabaseFileName,
+			key:          false,
+			expectError:  ErrHaveEncryptedWithNoKey,
+			expectResult: false,
+		},
+		{
+			name:         "portainer.db & portainer.edb",
+			dbname:       "both",
+			key:          true,
+			expectError:  ErrHaveEncryptedAndUnencrypted,
+			expectResult: false,
+		},
+	}
+
+	for _, tc := range cases {
+		tc := tc
+
+		t.Run(tc.name, func(t *testing.T) {
+
+			connection := DbConnection{Path: dir}
+
+			if tc.dbname == "both" {
+				// Special case.  If portainer.db and portainer.edb exist.
+				dbFile1 := path.Join(connection.Path, DatabaseFileName)
+				f, _ := os.Create(dbFile1)
+				f.Close()
+				defer os.Remove(dbFile1)
+
+				dbFile2 := path.Join(connection.Path, EncryptedDatabaseFileName)
+				f, _ = os.Create(dbFile2)
+				f.Close()
+				defer os.Remove(dbFile2)
+			} else if tc.dbname != "" {
+				dbFile := path.Join(connection.Path, tc.dbname)
+				f, _ := os.Create(dbFile)
+				f.Close()
+				defer os.Remove(dbFile)
+			}
+
+			if tc.key {
+				connection.EncryptionKey = []byte("secret")
+			}
+
+			result, err := connection.NeedsEncryptionMigration()
+
+			is.Equal(tc.expectError, err, "Fatal Error failure. Test: %s", tc.name)
+			is.Equal(result, tc.expectResult, "Failed test: %s", tc.name)
+		})
+	}
+}
--- a/api/database/boltdb/export.go
+++ b/api/database/boltdb/export.go
@@ -10,8 +10,9 @@ import (

 // inspired by github.com/konoui/boltdb-exporter (which has no license)
 // but very much simplified, based on how we use boltdb
+func (c *DbConnection) exportJson(databasePath string) ([]byte, error) {
+	logrus.WithField("databasePath", databasePath).Infof("exportJson")

-func exportJson(databasePath string) ([]byte, error) {
 	connection, err := bolt.Open(databasePath, 0600, &bolt.Options{Timeout: 1 * time.Second, ReadOnly: true})
 	if err != nil {
 		return []byte("{}"), err
@@ -31,7 +32,7 @@ func exportJson(databasePath string) ([]byte, error) {
 					continue
 				}
 				var obj interface{}
-				err := UnmarshalObject(v, &obj)
+				err := c.UnmarshalObject(v, &obj)
 				if err != nil {
 					logrus.WithError(err).Errorf("Failed to unmarshal (bucket %s): %v", bucketName, string(v))
 					obj = v
--- a/api/database/boltdb/json.go
+++ b/api/database/boltdb/json.go
@@ -1,26 +1,72 @@
 package boltdb

 import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
 	"encoding/json"
+	"fmt"
+	"io"

 	jsoniter "github.com/json-iterator/go"
+	"github.com/pkg/errors"
 )

+var errEncryptedStringTooShort = fmt.Errorf("encrypted string too short")
+
 // MarshalObject encodes an object to binary format
-func MarshalObject(object interface{}) ([]byte, error) {
+func (connection *DbConnection) MarshalObject(object interface{}) (data []byte, err error) {
 	// Special case for the VERSION bucket. Here we're not using json
 	if v, ok := object.(string); ok {
-		return []byte(v), nil
+		data = []byte(v)
+	} else {
+		data, err = json.Marshal(object)
+		if err != nil {
+			return data, err
+		}
 	}
-
-	return json.Marshal(object)
+	if connection.getEncryptionKey() == nil {
+		return data, nil
+	}
+	return encrypt(data, connection.getEncryptionKey())
 }

 // UnmarshalObject decodes an object from binary data
-func UnmarshalObject(data []byte, object interface{}) error {
-	// Special case for the VERSION bucket. Here we're not using json
-	// So we need to return it as a string
-	err := json.Unmarshal(data, object)
+func (connection *DbConnection) UnmarshalObject(data []byte, object interface{}) error {
+	var err error
+	if connection.getEncryptionKey() != nil {
+		data, err = decrypt(data, connection.getEncryptionKey())
+		if err != nil {
+			return errors.Wrap(err, "Failed decrypting object")
+		}
+	}
+	e := json.Unmarshal(data, object)
+	if e != nil {
+		// Special case for the VERSION bucket. Here we're not using json
+		// So we need to return it as a string
+		s, ok := object.(*string)
+		if !ok {
+			return errors.Wrap(err, e.Error())
+		}
+
+		*s = string(data)
+	}
+	return err
+}
+
+// UnmarshalObjectWithJsoniter decodes an object from binary data
+// using the jsoniter library. It is mainly used to accelerate environment(endpoint)
+// decoding at the moment.
+func (connection *DbConnection) UnmarshalObjectWithJsoniter(data []byte, object interface{}) error {
+	if connection.getEncryptionKey() != nil {
+		var err error
+		data, err = decrypt(data, connection.getEncryptionKey())
+		if err != nil {
+			return err
+		}
+	}
+	var jsoni = jsoniter.ConfigCompatibleWithStandardLibrary
+	err := jsoni.Unmarshal(data, &object)
 	if err != nil {
 		if s, ok := object.(*string); ok {
 			*s = string(data)
@@ -33,10 +79,55 @@ func UnmarshalObject(data []byte, object interface{}) error {
 	return nil
 }

-// UnmarshalObjectWithJsoniter decodes an object from binary data
-// using the jsoniter library. It is mainly used to accelerate environment(endpoint)
-// decoding at the moment.
-func UnmarshalObjectWithJsoniter(data []byte, object interface{}) error {
-	var jsoni = jsoniter.ConfigCompatibleWithStandardLibrary
-	return jsoni.Unmarshal(data, &object)
+// mmm, don't have a KMS .... aes GCM seems the most likely from
+// https://gist.github.com/atoponce/07d8d4c833873be2f68c34f9afc5a78a#symmetric-encryption
+
+func encrypt(plaintext []byte, passphrase []byte) (encrypted []byte, err error) {
+	block, _ := aes.NewCipher(passphrase)
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return encrypted, err
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+		return encrypted, err
+	}
+	ciphertextByte := gcm.Seal(
+		nonce,
+		nonce,
+		plaintext,
+		nil)
+	return ciphertextByte, nil
+}
+
+func decrypt(encrypted []byte, passphrase []byte) (plaintextByte []byte, err error) {
+	if string(encrypted) == "false" {
+		return []byte("false"), nil
+	}
+	block, err := aes.NewCipher(passphrase)
+	if err != nil {
+		return encrypted, errors.Wrap(err, "Error creating cypher block")
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return encrypted, errors.Wrap(err, "Error creating GCM")
+	}
+
+	nonceSize := gcm.NonceSize()
+	if len(encrypted) < nonceSize {
+		return encrypted, errEncryptedStringTooShort
+	}
+
+	nonce, ciphertextByteClean := encrypted[:nonceSize], encrypted[nonceSize:]
+	plaintextByte, err = gcm.Open(
+		nil,
+		nonce,
+		ciphertextByteClean,
+		nil)
+	if err != nil {
+		return encrypted, errors.Wrap(err, "Error decrypting text")
+	}
+
+	return plaintextByte, err
 }
--- a/api/database/boltdb/json_test.go
+++ b/api/database/boltdb/json_test.go
@@ -1,6 +1,7 @@
 package boltdb

 import (
+	"crypto/sha256"
 	"fmt"
 	"testing"

@@ -8,9 +9,17 @@ import (
 	"github.com/stretchr/testify/assert"
 )

-const jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+const (
+	jsonobject = `{"LogoURL":"","BlackListedLabels":[],"AuthenticationMethod":1,"LDAPSettings":{"AnonymousMode":true,"ReaderDN":"","URL":"","TLSConfig":{"TLS":false,"TLSSkipVerify":false},"StartTLS":false,"SearchSettings":[{"BaseDN":"","Filter":"","UserNameAttribute":""}],"GroupSearchSettings":[{"GroupBaseDN":"","GroupFilter":"","GroupAttribute":""}],"AutoCreateUsers":true},"OAuthSettings":{"ClientID":"","AccessTokenURI":"","AuthorizationURI":"","ResourceURI":"","RedirectURI":"","UserIdentifier":"","Scopes":"","OAuthAutoCreateUsers":false,"DefaultTeamID":0,"SSO":true,"LogoutURI":"","KubeSecretKey":"j0zLVtY/lAWBk62ByyF0uP80SOXaitsABP0TTJX8MhI="},"OpenAMTConfiguration":{"Enabled":false,"MPSServer":"","MPSUser":"","MPSPassword":"","MPSToken":"","CertFileContent":"","CertFileName":"","CertFilePassword":"","DomainName":""},"FeatureFlagSettings":{},"SnapshotInterval":"5m","TemplatesURL":"https://raw.githubusercontent.com/portainer/templates/master/templates-2.0.json","EdgeAgentCheckinInterval":5,"EnableEdgeComputeFeatures":false,"UserSessionTimeout":"8h","KubeconfigExpiry":"0","EnableTelemetry":true,"HelmRepositoryURL":"https://charts.bitnami.com/bitnami","KubectlShellImage":"portainer/kubectl-shell","DisplayDonationHeader":false,"DisplayExternalContributors":false,"EnableHostManagementFeatures":false,"AllowVolumeBrowserForRegularUsers":false,"AllowBindMountsForRegularUsers":false,"AllowPrivilegedModeForRegularUsers":false,"AllowHostNamespaceForRegularUsers":false,"AllowStackManagementForRegularUsers":false,"AllowDeviceMappingForRegularUsers":false,"AllowContainerCapabilitiesForRegularUsers":false}`
+	passphrase = "my secret key"
+)

-func Test_MarshalObject(t *testing.T) {
+func secretToEncryptionKey(passphrase string) []byte {
+	hash := sha256.Sum256([]byte(passphrase))
+	return hash[:]
+}
+
+func Test_MarshalObjectUnencrypted(t *testing.T) {
 	is := assert.New(t)

 	uuid := uuid.Must(uuid.NewV4())
@@ -73,16 +82,18 @@ func Test_MarshalObject(t *testing.T) {
 		},
 	}

+	conn := DbConnection{}
+
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
-			data, err := MarshalObject(test.object)
+			data, err := conn.MarshalObject(test.object)
 			is.NoError(err)
 			is.Equal(test.expected, string(data))
 		})
 	}
 }

-func Test_UnMarshalObject(t *testing.T) {
+func Test_UnMarshalObjectUnencrypted(t *testing.T) {
 	is := assert.New(t)

 	// Based on actual data entering and what we expect out of the function
@@ -105,18 +116,62 @@ func Test_UnMarshalObject(t *testing.T) {
 			expected: "9ca4a1dd-a439-4593-b386-a7dfdc2e9fc6",
 		},
 		{
-			// An unmarshalled json object string should return the same as a string without error also
+			// An un-marshalled json object string should return the same as a string without error also
 			object:   []byte(jsonobject),
 			expected: jsonobject,
 		},
 	}

+	conn := DbConnection{}
+
 	for _, test := range tests {
 		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
 			var object string
-			err := UnmarshalObject(test.object, &object)
+			err := conn.UnmarshalObject(test.object, &object)
 			is.NoError(err)
 			is.Equal(test.expected, string(object))
 		})
 	}
 }
+
+func Test_ObjectMarshallingEncrypted(t *testing.T) {
+	is := assert.New(t)
+
+	// Based on actual data entering and what we expect out of the function
+
+	tests := []struct {
+		object   []byte
+		expected string
+	}{
+		{
+			object: []byte(""),
+		},
+		{
+			object: []byte("35"),
+		},
+		{
+			// An unmarshalled byte string should return the same without error
+			object: []byte("9ca4a1dd-a439-4593-b386-a7dfdc2e9fc6"),
+		},
+		{
+			// An un-marshalled json object string should return the same as a string without error also
+			object: []byte(jsonobject),
+		},
+	}
+
+	key := secretToEncryptionKey(passphrase)
+	conn := DbConnection{EncryptionKey: key}
+	for _, test := range tests {
+		t.Run(fmt.Sprintf("%s -> %s", test.object, test.expected), func(t *testing.T) {
+
+			data, err := conn.MarshalObject(test.object)
+			is.NoError(err)
+
+			var object []byte
+			err = conn.UnmarshalObject(data, &object)
+
+			is.NoError(err)
+			is.Equal(test.object, object)
+		})
+	}
+}
--- a/api/database/database.go
+++ b/api/database/database.go
@@ -2,15 +2,19 @@ package database

 import (
 	"fmt"
+
 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/database/boltdb"
 )

 // NewDatabase should use config options to return a connection to the requested database
-func NewDatabase(storeType, storePath string) (connection portainer.Connection, err error) {
+func NewDatabase(storeType, storePath string, encryptionKey []byte) (connection portainer.Connection, err error) {
 	switch storeType {
 	case "boltdb":
-		return &boltdb.DbConnection{Path: storePath}, nil
+		return &boltdb.DbConnection{
+			Path:          storePath,
+			EncryptionKey: encryptionKey,
+		}, nil
 	}
-	return nil, fmt.Errorf("Unknown storage database: %s", storeType)
+	return nil, fmt.Errorf("unknown storage database: %s", storeType)
 }
--- a/api/dataservices/endpoint/endpoint.go
+++ b/api/dataservices/endpoint/endpoint.go
@@ -69,7 +69,7 @@ func (service *Service) Endpoints() ([]portainer.Endpoint, error) {
 			endpoint, ok := obj.(*portainer.Endpoint)
 			if !ok {
 				logrus.WithField("obj", obj).Errorf("Failed to convert to Endpoint object")
-				return nil, fmt.Errorf("Failed to convert to Endpoint object: %s", obj)
+				return nil, fmt.Errorf("failed to convert to Endpoint object: %s", obj)
 			}
 			endpoints = append(endpoints, *endpoint)
 			return &portainer.Endpoint{}, nil
--- a/api/dataservices/errors/errors.go
+++ b/api/dataservices/errors/errors.go
@@ -4,6 +4,7 @@ import "errors"

 var (
 	// TODO: i'm pretty sure this needs wrapping at several levels
-	ErrObjectNotFound = errors.New("Object not found inside the database")
-	ErrWrongDBEdition = errors.New("The Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+	ErrObjectNotFound = errors.New("object not found inside the database")
+	ErrWrongDBEdition = errors.New("the Portainer database is set for Portainer Business Edition, please follow the instructions in our documentation to downgrade it: https://documentation.portainer.io/v2.0-be/downgrade/be-to-ce/")
+	ErrDBImportFailed = errors.New("importing backup failed")
 )
--- a/api/dataservices/fdoprofile/fdoprofile.go
+++ b/api/dataservices/fdoprofile/fdoprofile.go
@@ -0,0 +1,92 @@
+package fdoprofile
+
+import (
+	"fmt"
+	portainer "github.com/portainer/portainer/api"
+	"github.com/sirupsen/logrus"
+)
+
+const (
+	// BucketName represents the name of the bucket where this service stores data.
+	BucketName = "fdo_profiles"
+)
+
+// Service represents a service for managingFDO Profiles data.
+type Service struct {
+	connection portainer.Connection
+}
+
+func (service *Service) BucketName() string {
+	return BucketName
+}
+
+// NewService creates a new instance of a service.
+func NewService(connection portainer.Connection) (*Service, error) {
+	err := connection.SetServiceName(BucketName)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Service{
+		connection: connection,
+	}, nil
+}
+
+// FDOProfiles return an array containing all the FDO Profiles.
+func (service *Service) FDOProfiles() ([]portainer.FDOProfile, error) {
+	var fdoProfiles = make([]portainer.FDOProfile, 0)
+
+	err := service.connection.GetAll(
+		BucketName,
+		&portainer.FDOProfile{},
+		func(obj interface{}) (interface{}, error) {
+			fdoProfile, ok := obj.(*portainer.FDOProfile)
+			if !ok {
+				logrus.WithField("obj", obj).Errorf("Failed to convert to FDOProfile object")
+				return nil, fmt.Errorf("failed to convert to FDOProfile object: %s", obj)
+			}
+			fdoProfiles = append(fdoProfiles, *fdoProfile)
+			return &portainer.FDOProfile{}, nil
+		})
+
+	return fdoProfiles, err
+}
+
+// FDOProfile returns an FDO Profile by ID.
+func (service *Service) FDOProfile(ID portainer.FDOProfileID) (*portainer.FDOProfile, error) {
+	var FDOProfile portainer.FDOProfile
+	identifier := service.connection.ConvertToKey(int(ID))
+
+	err := service.connection.GetObject(BucketName, identifier, &FDOProfile)
+	if err != nil {
+		return nil, err
+	}
+
+	return &FDOProfile, nil
+}
+
+// Create assign an ID to a new FDO Profile and saves it.
+func (service *Service) Create(FDOProfile *portainer.FDOProfile) error {
+	return service.connection.CreateObjectWithId(
+		BucketName,
+		int(FDOProfile.ID),
+		FDOProfile,
+	)
+}
+
+// Update updates an FDO Profile.
+func (service *Service) Update(ID portainer.FDOProfileID, FDOProfile *portainer.FDOProfile) error {
+	identifier := service.connection.ConvertToKey(int(ID))
+	return service.connection.UpdateObject(BucketName, identifier, FDOProfile)
+}
+
+// Delete deletes an FDO Profile.
+func (service *Service) Delete(ID portainer.FDOProfileID) error {
+	identifier := service.connection.ConvertToKey(int(ID))
+	return service.connection.DeleteObject(BucketName, identifier)
+}
+
+// GetNextIdentifier returns the next identifier for a FDO Profile.
+func (service *Service) GetNextIdentifier() int {
+	return service.connection.GetNextIdentifier(BucketName)
+}
--- a/api/dataservices/helmuserrepository/helmuserrepository.go
+++ b/api/dataservices/helmuserrepository/helmuserrepository.go
@@ -34,7 +34,7 @@ func NewService(connection portainer.Connection) (*Service, error) {
 }

 //HelmUserRepository returns an array of all HelmUserRepository
-func (service *Service) HelmUserRepositorys() ([]portainer.HelmUserRepository, error) {
+func (service *Service) HelmUserRepositories() ([]portainer.HelmUserRepository, error) {
 	var repos = make([]portainer.HelmUserRepository, 0)

 	err := service.connection.GetAll(
--- a/api/dataservices/interface.go
+++ b/api/dataservices/interface.go
@@ -23,7 +23,7 @@ type (
 		BackupTo(w io.Writer) error
 		Export(filename string) (err error)
 		IsErrObjectNotFound(err error) bool
-
+		Connection() portainer.Connection
 		CustomTemplate() CustomTemplateService
 		EdgeGroup() EdgeGroupService
 		EdgeJob() EdgeJobService
@@ -31,6 +31,7 @@ type (
 		Endpoint() EndpointService
 		EndpointGroup() EndpointGroupService
 		EndpointRelation() EndpointRelationService
+		FDOProfile() FDOProfileService
 		HelmUserRepository() HelmUserRepositoryService
 		Registry() RegistryService
 		ResourceControl() ResourceControlService
@@ -122,9 +123,20 @@ type (
 		BucketName() string
 	}

+	// FDOProfileService represents a service to manage FDO Profiles
+	FDOProfileService interface {
+		FDOProfiles() ([]portainer.FDOProfile, error)
+		FDOProfile(ID portainer.FDOProfileID) (*portainer.FDOProfile, error)
+		Create(FDOProfile *portainer.FDOProfile) error
+		Update(ID portainer.FDOProfileID, FDOProfile *portainer.FDOProfile) error
+		Delete(ID portainer.FDOProfileID) error
+		GetNextIdentifier() int
+		BucketName() string
+	}
+
 	// HelmUserRepositoryService represents a service to manage HelmUserRepositories
 	HelmUserRepositoryService interface {
-		HelmUserRepositorys() ([]portainer.HelmUserRepository, error)
+		HelmUserRepositories() ([]portainer.HelmUserRepository, error)
 		HelmUserRepositoryByUserID(userID portainer.UserID) ([]portainer.HelmUserRepository, error)
 		Create(record *portainer.HelmUserRepository) error
 		UpdateHelmUserRepository(ID portainer.HelmUserRepositoryID, repository *portainer.HelmUserRepository) error
--- a/api/dataservices/resourcecontrol/resourcecontrol.go
+++ b/api/dataservices/resourcecontrol/resourcecontrol.go
@@ -4,7 +4,6 @@ import (
 	"fmt"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/sirupsen/logrus"
 )

@@ -79,9 +78,6 @@ func (service *Service) ResourceControlByResourceIDAndType(resourceID string, re
 	if err == stop {
 		return resourceControl, nil
 	}
-	if err == nil {
-		return nil, errors.ErrObjectNotFound
-	}

 	return nil, err
 }
--- a/api/datastore/backup.go
+++ b/api/datastore/backup.go
@@ -35,7 +35,7 @@ func (store *Store) createBackupFolders() {
 }

 func (store *Store) databasePath() string {
-	return path.Join(store.connection.GetStorePath(), store.connection.GetDatabaseFilename())
+	return store.connection.GetDatabaseFilePath()
 }

 func (store *Store) commonBackupDir() string {
@@ -84,7 +84,7 @@ func (store *Store) setupOptions(options *BackupOptions) *BackupOptions {
 		options.BackupDir = store.commonBackupDir()
 	}
 	if options.BackupFileName == "" {
-		options.BackupFileName = fmt.Sprintf("%s.%s.%s", store.connection.GetDatabaseFilename(), fmt.Sprintf("%03d", options.Version), time.Now().Format("20060102150405"))
+		options.BackupFileName = fmt.Sprintf("%s.%s.%s", store.connection.GetDatabaseFileName(), fmt.Sprintf("%03d", options.Version), time.Now().Format("20060102150405"))
 	}
 	if options.BackupPath == "" {
 		options.BackupPath = path.Join(options.BackupDir, options.BackupFileName)
--- a/api/datastore/backup_test.go
+++ b/api/datastore/backup_test.go
@@ -48,7 +48,7 @@ func TestBackup(t *testing.T) {
 		store.VersionService.StoreDBVersion(portainer.DBVersion)
 		store.backupWithOptions(nil)

-		backupFileName := path.Join(connection.GetStorePath(), "backups", "common", fmt.Sprintf("portainer.db.%03d.*", portainer.DBVersion))
+		backupFileName := path.Join(connection.GetStorePath(), "backups", "common", fmt.Sprintf("portainer.edb.%03d.*", portainer.DBVersion))
 		if !isFileExist(backupFileName) {
 			t.Errorf("Expect backup file to be created %s", backupFileName)
 		}
--- a/api/datastore/datastore.go
+++ b/api/datastore/datastore.go
@@ -1,10 +1,15 @@
 package datastore

 import (
+	"fmt"
 	"io"
+	"os"
+	"path"
+	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices/errors"
+	portainerErrors "github.com/portainer/portainer/api/dataservices/errors"
+	"github.com/sirupsen/logrus"
 )

 func (store *Store) version() (int, error) {
@@ -34,6 +39,19 @@ func NewStore(storePath string, fileService portainer.FileService, connection po
 // Open opens and initializes the BoltDB database.
 func (store *Store) Open() (newStore bool, err error) {
 	newStore = true
+
+	encryptionReq, err := store.connection.NeedsEncryptionMigration()
+	if err != nil {
+		return false, err
+	}
+
+	if encryptionReq {
+		err = store.encryptDB()
+		if err != nil {
+			return false, err
+		}
+	}
+
 	err = store.connection.Open()
 	if err != nil {
 		return newStore, err
@@ -45,8 +63,18 @@ func (store *Store) Open() (newStore bool, err error) {
 	}

 	// if we have DBVersion in the database then ensure we flag this as NOT a new store
-	if _, err := store.VersionService.DBVersion(); err == nil {
-		newStore = false
+	version, err := store.VersionService.DBVersion()
+	if err != nil {
+		if store.IsErrObjectNotFound(err) {
+			return newStore, nil
+		}
+
+		return newStore, err
+	}
+
+	if version > 0 {
+		logrus.WithField("version", version).Infof("Opened existing store")
+		return false, nil
 	}

 	return newStore, nil
@@ -65,16 +93,85 @@ func (store *Store) BackupTo(w io.Writer) error {
 // CheckCurrentEdition checks if current edition is community edition
 func (store *Store) CheckCurrentEdition() error {
 	if store.edition() != portainer.PortainerCE {
-		return errors.ErrWrongDBEdition
+		return portainerErrors.ErrWrongDBEdition
 	}
 	return nil
 }

 // TODO: move the use of this to dataservices.IsErrObjectNotFound()?
 func (store *Store) IsErrObjectNotFound(e error) bool {
-	return e == errors.ErrObjectNotFound
+	return e == portainerErrors.ErrObjectNotFound
+}
+
+func (store *Store) Connection() portainer.Connection {
+	return store.connection
 }

 func (store *Store) Rollback(force bool) error {
 	return store.connectionRollback(force)
 }
+
+func (store *Store) encryptDB() error {
+	store.connection.SetEncrypted(false)
+	err := store.connection.Open()
+	if err != nil {
+		return err
+	}
+
+	err = store.initServices()
+	if err != nil {
+		return err
+	}
+
+	// The DB is not currently encrypted.  First save the encrypted db filename
+	oldFilename := store.connection.GetDatabaseFilePath()
+	logrus.Infof("Encrypting database")
+
+	// export file path for backup
+	exportFilename := path.Join(store.databasePath() + "." + fmt.Sprintf("backup-%d.json", time.Now().Unix()))
+
+	logrus.Infof("Exporting database backup to %s", exportFilename)
+	err = store.Export(exportFilename)
+	if err != nil {
+		logrus.WithError(err).Debugf("Failed to export to %s", exportFilename)
+		return err
+	}
+
+	logrus.Infof("Database backup exported")
+
+	// Close existing un-encrypted db so that we can delete the file later
+	store.connection.Close()
+
+	// Tell the db layer to create an encrypted db when opened
+	store.connection.SetEncrypted(true)
+	store.connection.Open()
+
+	// We have to init services before import
+	err = store.initServices()
+	if err != nil {
+		return err
+	}
+
+	err = store.Import(exportFilename)
+	if err != nil {
+		// Remove the new encrypted file that we failed to import
+		os.Remove(store.connection.GetDatabaseFilePath())
+		logrus.Fatal(portainerErrors.ErrDBImportFailed.Error())
+	}
+
+	err = os.Remove(oldFilename)
+	if err != nil {
+		logrus.Errorf("Failed to remove the un-encrypted db file")
+	}
+
+	err = os.Remove(exportFilename)
+	if err != nil {
+		logrus.Errorf("Failed to remove the json backup file")
+	}
+
+	// Close db connection
+	store.connection.Close()
+
+	logrus.Info("Database successfully encrypted")
+	return nil
+}
--- a/api/datastore/init.go
+++ b/api/datastore/init.go
@@ -7,6 +7,30 @@ import (

 // Init creates the default data set.
 func (store *Store) Init() error {
+	err := store.checkOrCreateInstanceID()
+	if err != nil {
+		return err
+	}
+
+	err = store.checkOrCreateDefaultSettings()
+	if err != nil {
+		return err
+	}
+
+	err = store.checkOrCreateDefaultSSLSettings()
+	if err != nil {
+		return err
+	}
+
+	err = store.checkOrCreateDefaultData()
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (store *Store) checkOrCreateInstanceID() error {
 	instanceID, err := store.VersionService.InstanceID()
 	if store.IsErrObjectNotFound(err) {
 		uid, err := uuid.NewV4()
@@ -15,18 +39,17 @@ func (store *Store) Init() error {
 		}

 		instanceID = uid.String()
-		err = store.VersionService.StoreInstanceID(instanceID)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
-		return err
+		return store.VersionService.StoreInstanceID(instanceID)
 	}
+	return err
+}

+func (store *Store) checkOrCreateDefaultSettings() error {
 	// TODO: these need to also be applied when importing
 	settings, err := store.SettingsService.Settings()
 	if store.IsErrObjectNotFound(err) {
 		defaultSettings := &portainer.Settings{
+			EnableTelemetry:      true,
 			AuthenticationMethod: portainer.AuthenticationInternal,
 			BlackListedLabels:    make([]portainer.Pair, 0),
 			LDAPSettings: portainer.LDAPSettings{
@@ -34,14 +57,16 @@ func (store *Store) Init() error {
 				AutoCreateUsers: true,
 				TLSConfig:       portainer.TLSConfiguration{},
 				SearchSettings: []portainer.LDAPSearchSettings{
-					portainer.LDAPSearchSettings{},
+					{},
 				},
 				GroupSearchSettings: []portainer.LDAPGroupSearchSettings{
-					portainer.LDAPGroupSearchSettings{},
+					{},
 				},
 			},
-			OAuthSettings: portainer.OAuthSettings{},
-
+			OAuthSettings: portainer.OAuthSettings{
+				SSO: true,
+			},
+			SnapshotInterval:         portainer.DefaultSnapshotInterval,
 			EdgeAgentCheckinInterval: portainer.DefaultEdgeAgentCheckinIntervalInSeconds,
 			TemplatesURL:             portainer.DefaultTemplatesURL,
 			HelmRepositoryURL:        portainer.DefaultHelmRepositoryURL,
@@ -50,35 +75,33 @@ func (store *Store) Init() error {
 			KubectlShellImage:        portainer.DefaultKubectlShellImage,
 		}

-		err = store.SettingsService.UpdateSettings(defaultSettings)
-		if err != nil {
-			return err
-		}
-	} else if err != nil {
+		return store.SettingsService.UpdateSettings(defaultSettings)
+	}
+	if err != nil {
 		return err
-	} else if err == nil {
-		if settings.UserSessionTimeout == "" {
-			settings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
-			store.Settings().UpdateSettings(settings)
-		}
 	}

-	_, err = store.SSLSettings().Settings()
-	if err != nil {
-		if !store.IsErrObjectNotFound(err) {
-			return err
-		}
+	if settings.UserSessionTimeout == "" {
+		settings.UserSessionTimeout = portainer.DefaultUserSessionTimeout
+		return store.Settings().UpdateSettings(settings)
+	}
+	return nil
+}

+func (store *Store) checkOrCreateDefaultSSLSettings() error {
+	_, err := store.SSLSettings().Settings()
+
+	if store.IsErrObjectNotFound(err) {
 		defaultSSLSettings := &portainer.SSLSettings{
 			HTTPEnabled: true,
 		}

-		err = store.SSLSettings().UpdateSettings(defaultSSLSettings)
-		if err != nil {
-			return err
-		}
+		return store.SSLSettings().UpdateSettings(defaultSSLSettings)
 	}
+	return err
+}

+func (store *Store) checkOrCreateDefaultData() error {
 	groups, err := store.EndpointGroupService.EndpointGroups()
 	if err != nil {
 		return err
@@ -99,6 +122,5 @@ func (store *Store) Init() error {
 			return err
 		}
 	}
-
 	return nil
 }
--- a/api/datastore/migrate_data.go
+++ b/api/datastore/migrate_data.go
@@ -30,6 +30,7 @@ func (store *Store) MigrateData() error {
 		EndpointService:         store.EndpointService,
 		EndpointRelationService: store.EndpointRelationService,
 		ExtensionService:        store.ExtensionService,
+		FDOProfilesService:      store.FDOProfilesService,
 		RegistryService:         store.RegistryService,
 		ResourceControlService:  store.ResourceControlService,
 		RoleService:             store.RoleService,
--- a/api/datastore/migrator/migrator.go
+++ b/api/datastore/migrator/migrator.go
@@ -7,6 +7,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
+	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/registry"
 	"github.com/portainer/portainer/api/dataservices/resourcecontrol"
 	"github.com/portainer/portainer/api/dataservices/role"
@@ -26,12 +27,12 @@ var migrateLog = plog.NewScopedLog("database, migrate")
 type (
 	// Migrator defines a service to migrate data after a Portainer version update.
 	Migrator struct {
-		currentDBVersion int
-
+		currentDBVersion        int
 		endpointGroupService    *endpointgroup.Service
 		endpointService         *endpoint.Service
 		endpointRelationService *endpointrelation.Service
 		extensionService        *extension.Service
+		fdoProfilesService      *fdoprofile.Service
 		registryService         *registry.Service
 		resourceControlService  *resourcecontrol.Service
 		roleService             *role.Service
@@ -54,6 +55,7 @@ type (
 		EndpointService         *endpoint.Service
 		EndpointRelationService *endpointrelation.Service
 		ExtensionService        *extension.Service
+		FDOProfilesService      *fdoprofile.Service
 		RegistryService         *registry.Service
 		ResourceControlService  *resourcecontrol.Service
 		RoleService             *role.Service
@@ -78,6 +80,7 @@ func NewMigrator(parameters *MigratorParameters) *Migrator {
 		endpointService:         parameters.EndpointService,
 		endpointRelationService: parameters.EndpointRelationService,
 		extensionService:        parameters.ExtensionService,
+		fdoProfilesService:      parameters.FDOProfilesService,
 		registryService:         parameters.RegistryService,
 		resourceControlService:  parameters.ResourceControlService,
 		roleService:             parameters.RoleService,
--- a/api/datastore/services.go
+++ b/api/datastore/services.go
@@ -17,6 +17,7 @@ import (
 	"github.com/portainer/portainer/api/dataservices/endpointgroup"
 	"github.com/portainer/portainer/api/dataservices/endpointrelation"
 	"github.com/portainer/portainer/api/dataservices/extension"
+	"github.com/portainer/portainer/api/dataservices/fdoprofile"
 	"github.com/portainer/portainer/api/dataservices/helmuserrepository"
 	"github.com/portainer/portainer/api/dataservices/registry"
 	"github.com/portainer/portainer/api/dataservices/resourcecontrol"
@@ -50,6 +51,7 @@ type Store struct {
 	EndpointService           *endpoint.Service
 	EndpointRelationService   *endpointrelation.Service
 	ExtensionService          *extension.Service
+	FDOProfilesService        *fdoprofile.Service
 	HelmUserRepositoryService *helmuserrepository.Service
 	RegistryService           *registry.Service
 	ResourceControlService    *resourcecontrol.Service
@@ -129,6 +131,12 @@ func (store *Store) initServices() error {
 	}
 	store.ExtensionService = extensionService

+	fdoProfilesService, err := fdoprofile.NewService(store.connection)
+	if err != nil {
+		return err
+	}
+	store.FDOProfilesService = fdoProfilesService
+
 	helmUserRepositoryService, err := helmuserrepository.NewService(store.connection)
 	if err != nil {
 		return err
@@ -257,6 +265,11 @@ func (store *Store) EndpointRelation() dataservices.EndpointRelationService {
 	return store.EndpointRelationService
 }

+// FDOProfile gives access to the FDOProfile data management layer
+func (store *Store) FDOProfile() dataservices.FDOProfileService {
+	return store.FDOProfilesService
+}
+
 // HelmUserRepository access the helm user repository settings
 func (store *Store) HelmUserRepository() dataservices.HelmUserRepositoryService {
 	return store.HelmUserRepositoryService
@@ -363,118 +376,184 @@ func (store *Store) Export(filename string) (err error) {
 	backup := storeExport{}

 	if c, err := store.CustomTemplate().CustomTemplates(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Custom Templates")
+		}
 	} else {
 		backup.CustomTemplate = c
 	}
+
 	if e, err := store.EdgeGroup().EdgeGroups(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Edge Groups")
+		}
 	} else {
 		backup.EdgeGroup = e
 	}
+
 	if e, err := store.EdgeJob().EdgeJobs(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Edge Jobs")
+		}
 	} else {
 		backup.EdgeJob = e
 	}
+
 	if e, err := store.EdgeStack().EdgeStacks(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Edge Stacks")
+		}
 	} else {
 		backup.EdgeStack = e
 	}
+
 	if e, err := store.Endpoint().Endpoints(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Endpoints")
+		}
 	} else {
 		backup.Endpoint = e
 	}
+
 	if e, err := store.EndpointGroup().EndpointGroups(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Endpoint Groups")
+		}
 	} else {
 		backup.EndpointGroup = e
 	}
+
 	if r, err := store.EndpointRelation().EndpointRelations(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Endpoint Relations")
+		}
 	} else {
 		backup.EndpointRelation = r
 	}
+
 	if r, err := store.ExtensionService.Extensions(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Extensions")
+		}
 	} else {
 		backup.Extensions = r
 	}
-	if r, err := store.HelmUserRepository().HelmUserRepositorys(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+
+	if r, err := store.HelmUserRepository().HelmUserRepositories(); err != nil {
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Helm User Repositories")
+		}
 	} else {
 		backup.HelmUserRepository = r
 	}
+
 	if r, err := store.Registry().Registries(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Registries")
+		}
 	} else {
 		backup.Registry = r
 	}
+
 	if c, err := store.ResourceControl().ResourceControls(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Resource Controls")
+		}
 	} else {
 		backup.ResourceControl = c
 	}
+
 	if role, err := store.Role().Roles(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Roles")
+		}
 	} else {
 		backup.Role = role
 	}
+
 	if r, err := store.ScheduleService.Schedules(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Schedules")
+		}
 	} else {
 		backup.Schedules = r
 	}
+
 	if settings, err := store.Settings().Settings(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Settings")
+		}
 	} else {
 		backup.Settings = *settings
 	}
+
 	if settings, err := store.SSLSettings().Settings(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting SSL Settings")
+		}
 	} else {
 		backup.SSLSettings = *settings
 	}
+
 	if t, err := store.Stack().Stacks(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Stacks")
+		}
 	} else {
 		backup.Stack = t
 	}
+
 	if t, err := store.Tag().Tags(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Tags")
+		}
 	} else {
 		backup.Tag = t
 	}
+
 	if t, err := store.TeamMembership().TeamMemberships(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Team Memberships")
+		}
 	} else {
 		backup.TeamMembership = t
 	}
+
 	if t, err := store.Team().Teams(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Teams")
+		}
 	} else {
 		backup.Team = t
 	}
+
 	if info, err := store.TunnelServer().Info(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Tunnel Server")
+		}
 	} else {
 		backup.TunnelServer = *info
 	}
+
 	if users, err := store.User().Users(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Users")
+		}
 	} else {
 		backup.User = users
 	}
+
 	if webhooks, err := store.Webhook().Webhooks(); err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+		if !store.IsErrObjectNotFound(err) {
+			logrus.WithError(err).Errorf("Exporting Webhooks")
+		}
 	} else {
 		backup.Webhook = webhooks
 	}
+
 	v, err := store.Version().DBVersion()
-	if err != nil {
-		logrus.WithError(err).Debugf("Export boom")
+	if err != nil && !store.IsErrObjectNotFound(err) {
+		logrus.WithError(err).Errorf("Exporting DB version")
 	}
 	instance, _ := store.Version().InstanceID()
 	backup.Version = map[string]string{
@@ -518,50 +597,66 @@ func (store *Store) Import(filename string) (err error) {
 	for _, v := range backup.CustomTemplate {
 		store.CustomTemplate().UpdateCustomTemplate(v.ID, &v)
 	}
+
 	for _, v := range backup.EdgeGroup {
 		store.EdgeGroup().UpdateEdgeGroup(v.ID, &v)
 	}
+
 	for _, v := range backup.EdgeJob {
 		store.EdgeJob().UpdateEdgeJob(v.ID, &v)
 	}
+
 	for _, v := range backup.EdgeStack {
 		store.EdgeStack().UpdateEdgeStack(v.ID, &v)
 	}
+
 	for _, v := range backup.Endpoint {
 		store.Endpoint().UpdateEndpoint(v.ID, &v)
 	}
+
 	for _, v := range backup.EndpointGroup {
 		store.EndpointGroup().UpdateEndpointGroup(v.ID, &v)
 	}
+
 	for _, v := range backup.EndpointRelation {
 		store.EndpointRelation().UpdateEndpointRelation(v.EndpointID, &v)
 	}
+
 	for _, v := range backup.HelmUserRepository {
 		store.HelmUserRepository().UpdateHelmUserRepository(v.ID, &v)
 	}
+
 	for _, v := range backup.Registry {
 		store.Registry().UpdateRegistry(v.ID, &v)
 	}
+
 	for _, v := range backup.ResourceControl {
 		store.ResourceControl().UpdateResourceControl(v.ID, &v)
 	}
+
 	for _, v := range backup.Role {
 		store.Role().UpdateRole(v.ID, &v)
 	}
+
 	store.Settings().UpdateSettings(&backup.Settings)
 	store.SSLSettings().UpdateSettings(&backup.SSLSettings)
+
 	for _, v := range backup.Stack {
 		store.Stack().UpdateStack(v.ID, &v)
 	}
+
 	for _, v := range backup.Tag {
 		store.Tag().UpdateTag(v.ID, &v)
 	}
+
 	for _, v := range backup.TeamMembership {
 		store.TeamMembership().UpdateTeamMembership(v.ID, &v)
 	}
+
 	for _, v := range backup.Team {
 		store.Team().UpdateTeam(v.ID, &v)
 	}
+
 	store.TunnelServer().UpdateInfo(&backup.TunnelServer)

 	for _, user := range backup.User {
@@ -570,10 +665,9 @@ func (store *Store) Import(filename string) (err error) {
 		}
 	}

-	// backup[store.Webhook().BucketName()], err = store.Webhook().Webhooks()
-	// if err != nil {
-	// 	logrus.WithError(err).Debugf("Export boom")
-	// }
+	for _, v := range backup.Webhook {
+		store.Webhook().UpdateWebhook(v.ID, &v)
+	}

 	return nil
 }
--- a/api/datastore/teststore.go
+++ b/api/datastore/teststore.go
@@ -42,7 +42,7 @@ func NewTestStore(init bool) (bool, *Store, func(), error) {
 		return false, nil, nil, err
 	}

-	connection, err := database.NewDatabase("boltdb", storePath)
+	connection, err := database.NewDatabase("boltdb", storePath, []byte("apassphrasewhichneedstobe32bytes"))
 	if err != nil {
 		panic(err)
 	}
--- a/api/exec/common.go
+++ b/api/exec/common.go
@@ -33,7 +33,7 @@ func (s StringSet) List() []string {
 	list := make([]string, s.Len())

 	i := 0
-	for k, _ := range s {
+	for k := range s {
 		list[i] = k
 		i++
 	}
--- a/api/exec/compose_stack.go
+++ b/api/exec/compose_stack.go
@@ -46,7 +46,7 @@ func (manager *ComposeStackManager) ComposeSyntaxMaxVersion() string {
 }

 // Up builds, (re)creates and starts containers in the background. Wraps `docker-compose up -d` command
-func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint) error {
+func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Stack, endpoint *portainer.Endpoint, forceRereate bool) error {
 	url, proxy, err := manager.fetchEndpointProxy(endpoint)
 	if err != nil {
 		return errors.Wrap(err, "failed to fetch environment proxy")
@@ -62,7 +62,7 @@ func (manager *ComposeStackManager) Up(ctx context.Context, stack *portainer.Sta
 	}

 	filePaths := stackutils.GetStackFilePaths(stack)
-	err = manager.deployer.Deploy(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFilePath)
+	err = manager.deployer.Deploy(ctx, stack.ProjectPath, url, stack.Name, filePaths, envFilePath, forceRereate)
 	return errors.Wrap(err, "failed to deploy a stack")
 }

--- a/api/exec/compose_stack_integration_test.go
+++ b/api/exec/compose_stack_integration_test.go
@@ -50,7 +50,7 @@ func Test_UpAndDown(t *testing.T) {

 	ctx := context.TODO()

-	err = w.Up(ctx, stack, endpoint)
+	err = w.Up(ctx, stack, endpoint, false)
 	if err != nil {
 		t.Fatalf("Error calling docker-compose up: %s", err)
 	}
--- a/api/filesystem/filesystem.go
+++ b/api/filesystem/filesystem.go
@@ -35,6 +35,8 @@ const (
 	ManifestFileDefaultName = "k8s-deployment.yml"
 	// EdgeStackStorePath represents the subfolder where edge stack files are stored in the file store folder.
 	EdgeStackStorePath = "edge_stacks"
+	// FDOProfileStorePath represents the subfolder where FDO profiles files are stored in the file store folder.
+	FDOProfileStorePath = "fdo_profiles"
 	// PrivateKeyFile represents the name on disk of the file containing the private key.
 	PrivateKeyFile = "portainer.key"
 	// PublicKeyFile represents the name on disk of the file containing the public key.
@@ -652,3 +654,20 @@ func MoveDirectory(originalPath, newPath string) error {

 	return os.Rename(originalPath, newPath)
 }
+
+// StoreFDOProfileFileFromBytes creates a subfolder in the FDOProfileStorePath and stores a new file from bytes.
+// It returns the path to the folder where the file is stored.
+func (service *Service) StoreFDOProfileFileFromBytes(fdoProfileIdentifier string, data []byte) (string, error) {
+	err := service.createDirectoryInStore(FDOProfileStorePath)
+	if err != nil {
+		return "", err
+	}
+
+	filePath := JoinPaths(FDOProfileStorePath, fdoProfileIdentifier)
+	err = service.createFileInStore(filePath, bytes.NewReader(data))
+	if err != nil {
+		return "", err
+	}
+
+	return service.wrapFileStore(filePath), nil
+}
--- a/api/go.mod
+++ b/api/go.mod
@@ -30,7 +30,7 @@ require (
 	github.com/koding/websocketproxy v0.0.0-20181220232114-7ed82d81a28c
 	github.com/orcaman/concurrent-map v0.0.0-20190826125027-8c72a8bb44f6
 	github.com/pkg/errors v0.9.1
-	github.com/portainer/docker-compose-wrapper v0.0.0-20211018221743-10a04c9d4f19
+	github.com/portainer/docker-compose-wrapper v0.0.0-20220113045708-6569596db840
 	github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a
 	github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108
 	github.com/portainer/libhttp v0.0.0-20211021135806-13e6c55c5fbc
@@ -96,6 +96,7 @@ require (
 	github.com/sergi/go-diff v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tomasen/realip v0.0.0-20180522021738-f0c99a92ddce // indirect
+	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
--- a/api/go.sum
+++ b/api/go.sum
@@ -613,8 +613,8 @@ github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/portainer/docker-compose-wrapper v0.0.0-20211018221743-10a04c9d4f19 h1:tG2gU4mkm5yElj35XpU3lgllOYQxN3kaM1Jab7AqTDs=
-github.com/portainer/docker-compose-wrapper v0.0.0-20211018221743-10a04c9d4f19/go.mod h1:WxDlJWZxCnicdLCPnLNEv7/gRhjeIVuCGmsv+iOPH3c=
+github.com/portainer/docker-compose-wrapper v0.0.0-20220113045708-6569596db840 h1:Nciddt8Y8G8nTMmyDfWxeN23PZUcsqbZE2zOFB/F1xg=
+github.com/portainer/docker-compose-wrapper v0.0.0-20220113045708-6569596db840/go.mod h1:WxDlJWZxCnicdLCPnLNEv7/gRhjeIVuCGmsv+iOPH3c=
 github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a h1:qY8TbocN75n5PDl16o0uVr5MevtM5IhdwSelXEd4nFM=
 github.com/portainer/libcrypto v0.0.0-20210422035235-c652195c5c3a/go.mod h1:n54EEIq+MM0NNtqLeCby8ljL+l275VpolXO0ibHegLE=
 github.com/portainer/libhelm v0.0.0-20210929000907-825e93d62108 h1:5e8KAnDa2G3cEHK7aV/ue8lOaoQwBZUzoALslwWkR04=
--- a/api/hostmanagement/openamt/openamt.go
+++ b/api/hostmanagement/openamt/openamt.go
@@ -6,13 +6,12 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"golang.org/x/sync/errgroup"
 	"io/ioutil"
 	"net/http"
 	"time"

 	portainer "github.com/portainer/portainer/api"
-	"github.com/portainer/portainer/api/dataservices"
-	"golang.org/x/sync/errgroup"
 )

 const (
@@ -32,7 +31,7 @@ type Service struct {
 }

 // NewService initializes a new service.
-func NewService(dataStore dataservices.DataStore) *Service {
+func NewService() *Service {
 	return &Service{
 		httpsClient: &http.Client{
 			Timeout: httpClientTimeout,
--- a/api/http/handler/auth/authenticate.go
+++ b/api/http/handler/auth/authenticate.go
@@ -12,6 +12,7 @@ import (
 	"github.com/portainer/libhttp/response"
 	portainer "github.com/portainer/portainer/api"
 	httperrors "github.com/portainer/portainer/api/http/errors"
+	"github.com/portainer/portainer/api/internal/authorization"
 )

 type authenticatePayload struct {
@@ -49,7 +50,7 @@ func (payload *authenticatePayload) Validate(r *http.Request) error {
 // @failure 422 "Invalid Credentials"
 // @failure 500 "Server error"
 // @router /auth [post]
-func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+func (handler *Handler) authenticate(rw http.ResponseWriter, r *http.Request) *httperror.HandlerError {
 	var payload authenticatePayload
 	err := request.DecodeAndValidateJSONPayload(r, &payload)
 	if err != nil {
@@ -61,39 +62,36 @@ func (handler *Handler) authenticate(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}

-	u, err := handler.DataStore.User().UserByUsername(payload.Username)
-	if err != nil && !handler.DataStore.IsErrObjectNotFound(err) {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+	user, err := handler.DataStore.User().UserByUsername(payload.Username)
+	if err != nil {
+		if !handler.DataStore.IsErrObjectNotFound(err) {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve a user with the specified username from the database", err}
+		}
+
+		if settings.AuthenticationMethod == portainer.AuthenticationInternal ||
+			settings.AuthenticationMethod == portainer.AuthenticationOAuth ||
+			(settings.AuthenticationMethod == portainer.AuthenticationLDAP && !settings.LDAPSettings.AutoCreateUsers) {
+			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
+		}
 	}

-	if handler.DataStore.IsErrObjectNotFound(err) && (settings.AuthenticationMethod == portainer.AuthenticationInternal || settings.AuthenticationMethod == portainer.AuthenticationOAuth) {
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
+	if user != nil && isUserInitialAdmin(user) || settings.AuthenticationMethod == portainer.AuthenticationInternal {
+		return handler.authenticateInternal(rw, user, payload.Password)
+	}
+
+	if settings.AuthenticationMethod == portainer.AuthenticationOAuth {
+		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Only initial admin is allowed to login without oauth", httperrors.ErrUnauthorized}
 	}

 	if settings.AuthenticationMethod == portainer.AuthenticationLDAP {
-		if u == nil && settings.LDAPSettings.AutoCreateUsers {
-			return handler.authenticateLDAPAndCreateUser(w, payload.Username, payload.Password, &settings.LDAPSettings)
-		} else if u == nil && !settings.LDAPSettings.AutoCreateUsers {
-			return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", httperrors.ErrUnauthorized}
-		}
-		return handler.authenticateLDAP(w, u, payload.Password, &settings.LDAPSettings)
+		return handler.authenticateLDAP(rw, user, payload.Username, payload.Password, &settings.LDAPSettings)
 	}

-	return handler.authenticateInternal(w, u, payload.Password)
+	return &httperror.HandlerError{http.StatusUnprocessableEntity, "Login method is not supported", httperrors.ErrUnauthorized}
 }

-func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
-	err := handler.LDAPService.AuthenticateUser(user.Username, password, ldapSettings)
-	if err != nil {
-		return handler.authenticateInternal(w, user, password)
-	}
-
-	err = handler.addUserIntoTeams(user, ldapSettings)
-	if err != nil {
-		log.Printf("Warning: unable to automatically add user into teams: %s\n", err.Error())
-	}
-
-	return handler.writeToken(w, user)
+func isUserInitialAdmin(user *portainer.User) bool {
+	return int(user.ID) == 1
 }

 func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portainer.User, password string) *httperror.HandlerError {
@@ -105,20 +103,27 @@ func (handler *Handler) authenticateInternal(w http.ResponseWriter, user *portai
 	return handler.writeToken(w, user)
 }

-func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
+func (handler *Handler) authenticateLDAP(w http.ResponseWriter, user *portainer.User, username, password string, ldapSettings *portainer.LDAPSettings) *httperror.HandlerError {
 	err := handler.LDAPService.AuthenticateUser(username, password, ldapSettings)
 	if err != nil {
-		return &httperror.HandlerError{http.StatusUnprocessableEntity, "Invalid credentials", err}
+		return &httperror.HandlerError{
+			StatusCode: http.StatusForbidden,
+			Message:    "Only initial admin is allowed to login without oauth",
+			Err:        err,
+		}
 	}

-	user := &portainer.User{
-		Username: username,
-		Role:     portainer.StandardUserRole,
-	}
+	if user == nil {
+		user = &portainer.User{
+			Username:                username,
+			Role:                    portainer.StandardUserRole,
+			PortainerAuthorizations: authorization.DefaultPortainerAuthorizations(),
+		}

-	err = handler.DataStore.User().Create(user)
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
+		err = handler.DataStore.User().Create(user)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user inside the database", err}
+		}
 	}

 	err = handler.addUserIntoTeams(user, ldapSettings)
@@ -130,7 +135,9 @@ func (handler *Handler) authenticateLDAPAndCreateUser(w http.ResponseWriter, use
 }

 func (handler *Handler) writeToken(w http.ResponseWriter, user *portainer.User) *httperror.HandlerError {
-	return handler.persistAndWriteToken(w, composeTokenData(user))
+	tokenData := composeTokenData(user)
+
+	return handler.persistAndWriteToken(w, tokenData)
 }

 func (handler *Handler) persistAndWriteToken(w http.ResponseWriter, tokenData *portainer.TokenData) *httperror.HandlerError {
--- a/api/http/handler/endpointproxy/proxy_docker.go
+++ b/api/http/handler/endpointproxy/proxy_docker.go
@@ -4,9 +4,9 @@ import (
 	"errors"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
+	portainer "github.com/portainer/portainer/api"
 	"strconv"
 	"strings"
-	portainer "github.com/portainer/portainer/api"

 	"net/http"
 )
--- a/api/http/handler/endpoints/endpoint_create.go
+++ b/api/http/handler/endpoints/endpoint_create.go
@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	"github.com/gofrs/uuid"
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
@@ -339,6 +340,20 @@ func (handler *Handler) createEdgeAgentEndpoint(payload *endpointCreatePayload)
 		IsEdgeDevice:        payload.IsEdgeDevice,
 	}

+	settings, err := handler.DataStore.Settings().Settings()
+	if err != nil {
+		return nil, &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve the settings from the database", err}
+	}
+
+	if settings.EnforceEdgeID {
+		edgeID, err := uuid.NewV4()
+		if err != nil {
+			return nil, &httperror.HandlerError{http.StatusInternalServerError, "Cannot generate the Edge ID", err}
+		}
+
+		endpoint.EdgeID = edgeID.String()
+	}
+
 	err = handler.saveEndpointAndUpdateAuthorizations(endpoint)
 	if err != nil {
 		return nil, &httperror.HandlerError{http.StatusInternalServerError, "An error occured while trying to create the environment", err}
--- a/api/http/handler/endpoints/endpoint_list.go
+++ b/api/http/handler/endpoints/endpoint_list.go
@@ -89,8 +89,10 @@ func (handler *Handler) endpointList(w http.ResponseWriter, r *http.Request) *ht
 		filteredEndpoints = filterEndpointsByGroupID(filteredEndpoints, portainer.EndpointGroupID(groupID))
 	}

-	edgeDeviceFilter, _ := request.RetrieveBooleanQueryParameter(r, "edgeDeviceFilter", true)
-	filteredEndpoints = filterEndpointsByEdgeDevice(filteredEndpoints, edgeDeviceFilter)
+	edgeDeviceFilter, edgeDeviceFilterErr := request.RetrieveBooleanQueryParameter(r, "edgeDeviceFilter", false)
+	if edgeDeviceFilterErr == nil {
+		filteredEndpoints = filterEndpointsByEdgeDevice(filteredEndpoints, edgeDeviceFilter)
+	}

 	if search != "" {
 		tags, err := handler.DataStore.Tag().Tags()
--- a/api/http/handler/endpoints/endpoint_snapshot.go
+++ b/api/http/handler/endpoints/endpoint_snapshot.go
@@ -1,6 +1,7 @@
 package endpoints

 import (
+	"errors"
 	"net/http"

 	httperror "github.com/portainer/libhttp/error"
@@ -37,7 +38,7 @@ func (handler *Handler) endpointSnapshot(w http.ResponseWriter, r *http.Request)
 	}

 	if !snapshot.SupportDirectSnapshot(endpoint) {
-		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for this environment", err}
+		return &httperror.HandlerError{http.StatusBadRequest, "Snapshots not supported for this environment", errors.New("Snapshots not supported for this environment")}
 	}

 	snapshotError := handler.SnapshotService.SnapshotEndpoint(endpoint)
--- a/api/http/handler/endpoints/endpoint_status_inspect.go
+++ b/api/http/handler/endpoints/endpoint_status_inspect.go
@@ -103,6 +103,15 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 		}
 	}

+	if endpoint.EdgeCheckinInterval == 0 {
+		settings, err := handler.DataStore.Settings().Settings()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
+		}
+
+		endpoint.EdgeCheckinInterval = settings.EdgeAgentCheckinInterval
+	}
+
 	endpoint.LastCheckInDate = time.Now().Unix()

 	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
@@ -110,18 +119,8 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to Unable to persist environment changes inside the database", err}
 	}

-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
-	}
-
 	tunnel := handler.ReverseTunnelService.GetTunnelDetails(endpoint.ID)

-	checkinInterval := settings.EdgeAgentCheckinInterval
-	if endpoint.EdgeCheckinInterval != 0 {
-		checkinInterval = endpoint.EdgeCheckinInterval
-	}
-
 	schedules := []edgeJobResponse{}
 	for _, job := range tunnel.Jobs {
 		schedule := edgeJobResponse{
@@ -146,7 +145,7 @@ func (handler *Handler) endpointStatusInspect(w http.ResponseWriter, r *http.Req
 		Status:          tunnel.Status,
 		Port:            tunnel.Port,
 		Schedules:       schedules,
-		CheckinInterval: checkinInterval,
+		CheckinInterval: endpoint.EdgeCheckinInterval,
 		Credentials:     tunnel.Credentials,
 	}

--- a/api/http/handler/endpoints/endpoint_update.go
+++ b/api/http/handler/endpoints/endpoint_update.go
@@ -46,6 +46,8 @@ type endpointUpdatePayload struct {
 	EdgeCheckinInterval *int `example:"5"`
 	// Associated Kubernetes data
 	Kubernetes *portainer.KubernetesData
+	// Whether the device has been trusted or not by the user
+	UserTrusted *bool
 }

 func (payload *endpointUpdatePayload) Validate(r *http.Request) error {
@@ -270,6 +272,10 @@ func (handler *Handler) endpointUpdate(w http.ResponseWriter, r *http.Request) *
 		}
 	}

+	if payload.UserTrusted != nil {
+		endpoint.UserTrusted = *payload.UserTrusted
+	}
+
 	err = handler.DataStore.Endpoint().UpdateEndpoint(endpoint.ID, endpoint)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist environment changes inside the database", err}
--- a/api/http/handler/handler.go
+++ b/api/http/handler/handler.go
@@ -80,7 +80,7 @@ type Handler struct {
 }

 // @title PortainerCE API
-// @version 2.11.0
+// @version 2.11.1
 // @description.markdown api-description.md
 // @termsOfService

@@ -230,13 +230,9 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	case strings.HasPrefix(r.URL.Path, "/api/ssl"):
 		http.StripPrefix("/api", h.SSLHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/open_amt"):
-		if h.OpenAMTHandler != nil {
-			http.StripPrefix("/api", h.OpenAMTHandler).ServeHTTP(w, r)
-		}
+		http.StripPrefix("/api", h.OpenAMTHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/fdo"):
-		if h.FDOHandler != nil {
-			http.StripPrefix("/api", h.FDOHandler).ServeHTTP(w, r)
-		}
+		http.StripPrefix("/api", h.FDOHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/teams"):
 		http.StripPrefix("/api", h.TeamHandler).ServeHTTP(w, r)
 	case strings.HasPrefix(r.URL.Path, "/api/team_memberships"):
--- a/api/http/handler/hostmanagement/fdo/configure.go
+++ b/api/http/handler/hostmanagement/fdo/configure.go
@@ -3,28 +3,35 @@ package fdo
 import (
 	"encoding/hex"
 	"errors"
-	"fmt"
-	"io"
 	"net/http"
 	"net/url"
-	"path"
 	"strings"

-	cbor "github.com/fxamacker/cbor/v2"
+	"github.com/fxamacker/cbor/v2"

 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/sirupsen/logrus"
 )

+const (
+	deploymentScriptName = "fdo.sh"
+)
+
 type deviceConfigurePayload struct {
-	EdgeKey    string `json:"edgeKey"`
-	Name       string `json:"name"`
-	ProfileURL string `json:"profile"`
+	EdgeID    string `json:"edgeID"`
+	EdgeKey   string `json:"edgeKey"`
+	Name      string `json:"name"`
+	ProfileID int    `json:"profile"`
 }

 func (payload *deviceConfigurePayload) Validate(r *http.Request) error {
+	if payload.EdgeID == "" {
+		return errors.New("invalid edge ID provided")
+	}
+
 	if payload.EdgeKey == "" {
 		return errors.New("invalid edge key provided")
 	}
@@ -33,26 +40,16 @@ func (payload *deviceConfigurePayload) Validate(r *http.Request) error {
 		return errors.New("the device name cannot be empty")
 	}

-	if err := validateURL(payload.ProfileURL); err != nil {
-		return fmt.Errorf("FDO profile URL: %w", err)
+	if payload.ProfileID < 1 {
+		return errors.New("invalid profile id provided")
 	}

 	return nil
 }

-func fetchProfileContents(profileURL string) ([]byte, error) {
-	resp, err := http.Get(profileURL)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	return io.ReadAll(resp.Body)
-}
-
 // @id fdoConfigureDevice
-// @summary configure an FDO device
-// @description configure an FDO device
+// @summary configures an FDO device
+// @description configures an FDO device
 // @description **Access policy**: administrator
 // @tags intel
 // @security jwt
@@ -78,14 +75,17 @@ func (handler *Handler) fdoConfigureDevice(w http.ResponseWriter, r *http.Reques
 		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Invalid request payload", Err: err}
 	}

-	profileUrl, err := url.Parse(payload.ProfileURL)
-	if err != nil {
-		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "fdoConfigureDevice: invalid FDO profile URL", Err: err}
+	profile, err := handler.DataStore.FDOProfile().FDOProfile(portainer.FDOProfileID(payload.ProfileID))
+	if handler.DataStore.IsErrObjectNotFound(err) {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a FDO Profile with the specified identifier inside the database", err}
 	}

-	profileContents, err := fetchProfileContents(payload.ProfileURL)
+	fileContent, err := handler.FileService.GetFileContent(profile.FilePath, "")
 	if err != nil {
-		return &httperror.HandlerError{StatusCode: http.StatusBadGateway, Message: "fdoConfigureDevice: could not retrieve the FDO profile", Err: err}
+		logrus.WithError(err).Info("fdoConfigureDevice: GetFileContent")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: GetFileContent", Err: err}
 	}

 	fdoClient, err := handler.newFDOClient()
@@ -106,6 +106,17 @@ func (handler *Handler) fdoConfigureDevice(w http.ResponseWriter, r *http.Reques
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw()", Err: err}
 	}

+	if err = fdoClient.PutDeviceSVIRaw(url.Values{
+		"guid":     []string{guid},
+		"priority": []string{"1"},
+		"module":   []string{"fdo_sys"},
+		"var":      []string{"filedesc"},
+		"filename": []string{"DEVICE_edgeid.txt"},
+	}, []byte(payload.EdgeID)); err != nil {
+		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw(edgeid)")
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw(edgeid)", Err: err}
+	}
+
 	// write down the edgekey
 	if err = fdoClient.PutDeviceSVIRaw(url.Values{
 		"guid":     []string{guid},
@@ -142,15 +153,13 @@ func (handler *Handler) fdoConfigureDevice(w http.ResponseWriter, r *http.Reques
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw()", Err: err}
 	}

-	// onboarding script - this would get selected by the profile name
-	deploymentScriptName := path.Base(profileUrl.Path)
 	if err = fdoClient.PutDeviceSVIRaw(url.Values{
 		"guid":     []string{guid},
 		"priority": []string{"1"},
 		"module":   []string{"fdo_sys"},
 		"var":      []string{"filedesc"},
 		"filename": []string{deploymentScriptName},
-	}, profileContents); err != nil {
+	}, fileContent); err != nil {
 		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw()")
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw()", Err: err}
 	}
@@ -161,15 +170,15 @@ func (handler *Handler) fdoConfigureDevice(w http.ResponseWriter, r *http.Reques
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw() failed to encode", Err: err}
 	}

-	cbor := strings.ToUpper(hex.EncodeToString(b))
-	logrus.WithField("cbor", cbor).WithField("string", deploymentScriptName).Info("converted to CBOR")
+	cborBytes := strings.ToUpper(hex.EncodeToString(b))
+	logrus.WithField("cbor", cborBytes).WithField("string", deploymentScriptName).Info("converted to CBOR")

 	if err = fdoClient.PutDeviceSVIRaw(url.Values{
 		"guid":     []string{guid},
 		"priority": []string{"2"},
 		"module":   []string{"fdo_sys"},
 		"var":      []string{"exec"},
-		"bytes":    []string{cbor},
+		"bytes":    []string{cborBytes},
 	}, []byte("")); err != nil {
 		logrus.WithError(err).Info("fdoConfigureDevice: PutDeviceSVIRaw()")
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "fdoConfigureDevice: PutDeviceSVIRaw()", Err: err}
--- a/api/http/handler/hostmanagement/fdo/fdo.go
+++ b/api/http/handler/hostmanagement/fdo/fdo.go
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strconv"
 	"time"

 	httperror "github.com/portainer/libhttp/error"
@@ -39,10 +40,6 @@ func (payload *fdoConfigurePayload) Validate(r *http.Request) error {
 		if err := validateURL(payload.OwnerURL); err != nil {
 			return fmt.Errorf("owner server URL: %w", err)
 		}
-
-		if err := validateURL(payload.ProfilesURL); err != nil {
-			return fmt.Errorf("profile list URL: %w", err)
-		}
 	}

 	return nil
@@ -100,5 +97,68 @@ func (handler *Handler) fdoConfigure(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{StatusCode: http.StatusBadRequest, Message: "Error saving FDO settings", Err: err}
 	}

+	profiles, err := handler.DataStore.FDOProfile().FDOProfiles()
+	if err != nil {
+		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Error saving FDO settings", Err: err}
+	}
+	if len(profiles) == 0 {
+		err = handler.addDefaultProfile()
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
+		}
+	}
+
 	return response.Empty(w)
 }
+
+func (handler *Handler) addDefaultProfile() error {
+	profileID := handler.DataStore.FDOProfile().GetNextIdentifier()
+	profile := &portainer.FDOProfile{
+		ID:   portainer.FDOProfileID(profileID),
+		Name: "Docker Standalone + Edge",
+	}
+
+	filePath, err := handler.FileService.StoreFDOProfileFileFromBytes(strconv.Itoa(int(profile.ID)), []byte(defaultProfileFileContent))
+	if err != nil {
+		return err
+	}
+	profile.FilePath = filePath
+	profile.DateCreated = time.Now().Unix()
+
+	err = handler.DataStore.FDOProfile().Create(profile)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+const defaultProfileFileContent = `
+#!/bin/bash -ex
+
+env > env.log
+
+export AGENT_IMAGE=portainer/agent:2.11.0
+export GUID=$(cat DEVICE_GUID.txt)
+export DEVICE_NAME=$(cat DEVICE_name.txt)
+export EDGE_ID=$(cat DEVICE_edgeid.txt)
+export EDGE_KEY=$(cat DEVICE_edgekey.txt)
+export AGENTVOLUME=$(pwd)/data/portainer_agent_data/
+
+mkdir -p ${AGENTVOLUME}
+
+docker pull ${AGENT_IMAGE}
+
+docker run -d \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    -v /var/lib/docker/volumes:/var/lib/docker/volumes \
+    -v /:/host \
+    -v ${AGENTVOLUME}:/data \
+    --restart always \
+    -e EDGE=1 \
+    -e EDGE_ID=${EDGE_ID} \
+    -e EDGE_KEY=${EDGE_KEY} \
+    -e CAP_HOST_MANAGEMENT=1 \
+    -e EDGE_INSECURE_POLL=1 \
+    --name portainer_edge_agent \
+    ${AGENT_IMAGE}
+`
--- a/api/http/handler/hostmanagement/fdo/handler.go
+++ b/api/http/handler/hostmanagement/fdo/handler.go
@@ -6,26 +6,35 @@ import (
 	"github.com/gorilla/mux"

 	httperror "github.com/portainer/libhttp/error"
+	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/http/security"
 )

 type Handler struct {
 	*mux.Router
-	DataStore dataservices.DataStore
+	DataStore   dataservices.DataStore
+	FileService portainer.FileService
 }

-func NewHandler(bouncer *security.RequestBouncer, dataStore dataservices.DataStore) *Handler {
+func NewHandler(bouncer *security.RequestBouncer, dataStore dataservices.DataStore, fileService portainer.FileService) *Handler {
 	h := &Handler{
-		Router:    mux.NewRouter(),
-		DataStore: dataStore,
+		Router:      mux.NewRouter(),
+		DataStore:   dataStore,
+		FileService: fileService,
 	}

 	h.Handle("/fdo/configure", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoConfigure))).Methods(http.MethodPost)
 	h.Handle("/fdo/list", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoListAll))).Methods(http.MethodGet)
 	h.Handle("/fdo/register", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoRegisterDevice))).Methods(http.MethodPost)
 	h.Handle("/fdo/configure/{guid}", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoConfigureDevice))).Methods(http.MethodPost)
-	h.Handle("/fdo/profiles", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoProfiles))).Methods(http.MethodGet)
+
+	h.Handle("/fdo/profiles", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoProfileList))).Methods(http.MethodGet)
+	h.Handle("/fdo/profiles", bouncer.AdminAccess(httperror.LoggerHandler(h.createProfile))).Methods(http.MethodPost)
+	h.Handle("/fdo/profiles/{id}", bouncer.AdminAccess(httperror.LoggerHandler(h.fdoProfileInspect))).Methods(http.MethodGet)
+	h.Handle("/fdo/profiles/{id}", bouncer.AdminAccess(httperror.LoggerHandler(h.updateProfile))).Methods(http.MethodPut)
+	h.Handle("/fdo/profiles/{id}", bouncer.AdminAccess(httperror.LoggerHandler(h.deleteProfile))).Methods(http.MethodDelete)
+	h.Handle("/fdo/profiles/{id}/duplicate", bouncer.AdminAccess(httperror.LoggerHandler(h.duplicateProfile))).Methods(http.MethodPost)

 	return h
 }
--- a/api/http/handler/hostmanagement/fdo/profile_create.go
+++ b/api/http/handler/hostmanagement/fdo/profile_create.go
@@ -0,0 +1,92 @@
+package fdo
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+	"time"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+type createProfileFromFileContentPayload struct {
+	Name               string
+	ProfileFileContent string
+}
+
+func (payload *createProfileFromFileContentPayload) Validate(r *http.Request) error {
+	if payload.Name == "" {
+		return errors.New("profile name must be provided")
+	}
+
+	if payload.ProfileFileContent == "" {
+		return errors.New("profile file content must be provided")
+	}
+
+	return nil
+}
+
+// @id createProfile
+// @summary creates a new FDO Profile
+// @description creates a new FDO Profile
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 409 "Profile name already exists"
+// @failure 500 "Server error"
+// @router /fdo/profiles [post]
+func (handler *Handler) createProfile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	method, err := request.RetrieveQueryParameter(r, "method", false)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid query parameter: method", err}
+	}
+
+	switch method {
+	case "editor":
+		return handler.createFDOProfileFromFileContent(w, r)
+	}
+	return &httperror.HandlerError{http.StatusBadRequest, "Invalid method. Value must be one of: editor", errors.New("invalid method")}
+}
+
+func (handler *Handler) createFDOProfileFromFileContent(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	var payload createProfileFromFileContentPayload
+	err := request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	isUnique, err := handler.checkUniqueProfileName(payload.Name, -1)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
+	}
+	if !isUnique {
+		return &httperror.HandlerError{http.StatusConflict, fmt.Sprintf("A profile with the name '%s' already exists", payload.Name), errors.New("a profile already exists with this name")}
+	}
+
+	profileID := handler.DataStore.FDOProfile().GetNextIdentifier()
+	profile := &portainer.FDOProfile{
+		ID:   portainer.FDOProfileID(profileID),
+		Name: payload.Name,
+	}
+
+	filePath, err := handler.FileService.StoreFDOProfileFileFromBytes(strconv.Itoa(int(profile.ID)), []byte(payload.ProfileFileContent))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist profile file on disk", err}
+	}
+	profile.FilePath = filePath
+	profile.DateCreated = time.Now().Unix()
+
+	err = handler.DataStore.FDOProfile().Create(profile)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the profile inside the database", err}
+	}
+
+	return response.JSON(w, profile)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_delete.go
+++ b/api/http/handler/hostmanagement/fdo/profile_delete.go
@@ -0,0 +1,36 @@
+package fdo
+
+import (
+	"errors"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+// @id deleteProfile
+// @summary deletes a FDO Profile
+// @description deletes a FDO Profile
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /fdo/profiles/{id} [delete]
+func (handler *Handler) deleteProfile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Bad request", errors.New("missing 'id' query parameter")}
+	}
+
+	err = handler.DataStore.FDOProfile().Delete(portainer.FDOProfileID(id))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to delete Profile", err}
+	}
+
+	return response.Empty(w)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_duplicate.go
+++ b/api/http/handler/hostmanagement/fdo/profile_duplicate.go
@@ -0,0 +1,67 @@
+package fdo
+
+import (
+	"errors"
+	"fmt"
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+	"net/http"
+	"strconv"
+	"time"
+)
+
+// @id duplicate
+// @summary duplicated an existing FDO Profile
+// @description duplicated an existing FDO Profile
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /fdo/profiles/{id}/duplicate [post]
+func (handler *Handler) duplicateProfile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Bad request", errors.New("missing 'id' query parameter")}
+	}
+
+	originalProfile, err := handler.DataStore.FDOProfile().FDOProfile(portainer.FDOProfileID(id))
+	if handler.DataStore.IsErrObjectNotFound(err) {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	}
+
+	fileContent, err := handler.FileService.GetFileContent(originalProfile.FilePath, "")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Profile file content", err}
+	}
+
+	profileID := handler.DataStore.FDOProfile().GetNextIdentifier()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to duplicate Profile", err}
+	}
+
+	newProfile := &portainer.FDOProfile{
+		ID:   portainer.FDOProfileID(profileID),
+		Name: fmt.Sprintf("%s - copy", originalProfile.Name),
+	}
+
+	filePath, err := handler.FileService.StoreFDOProfileFileFromBytes(strconv.Itoa(int(newProfile.ID)), fileContent)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist profile file on disk", err}
+	}
+	newProfile.FilePath = filePath
+	newProfile.DateCreated = time.Now().Unix()
+
+	err = handler.DataStore.FDOProfile().Create(newProfile)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the profile inside the database", err}
+	}
+
+	return response.JSON(w, newProfile)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_inspect.go
+++ b/api/http/handler/hostmanagement/fdo/profile_inspect.go
@@ -0,0 +1,49 @@
+package fdo
+
+import (
+	"errors"
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+type fdoProfileResponse struct {
+	Name        string `json:"name"`
+	FileContent string `json:"fileContent"`
+}
+
+// @id fdoProfileInspect
+// @summary retrieves a given FDO profile information and content
+// @description retrieves a given FDO profile information and content
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 500 "Server error"
+// @router /fdo/profiles/{id} [get]
+func (handler *Handler) fdoProfileInspect(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Bad request", errors.New("missing 'id' query parameter")}
+	}
+
+	profile, err := handler.DataStore.FDOProfile().FDOProfile(portainer.FDOProfileID(id))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Profile", err}
+	}
+
+	fileContent, err := handler.FileService.GetFileContent(profile.FilePath, "")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve Profile file content", err}
+	}
+
+	return response.JSON(w, fdoProfileResponse{
+		Name:        profile.Name,
+		FileContent: string(fileContent),
+	})
+}
--- a/api/http/handler/hostmanagement/fdo/profile_list.go
+++ b/api/http/handler/hostmanagement/fdo/profile_list.go
@@ -0,0 +1,31 @@
+package fdo
+
+import (
+	"net/http"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/response"
+)
+
+// @id fdoProfileList
+// @summary retrieves all FDO profiles
+// @description retrieves all FDO profiles
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 403 "Permission denied to access settings"
+// @failure 500 "Server error"
+// @failure 500 "Bad gateway"
+// @router /fdo/profiles [get]
+func (handler *Handler) fdoProfileList(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+
+	profiles, err := handler.DataStore.FDOProfile().FDOProfiles()
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
+	}
+
+	return response.JSON(w, profiles)
+}
--- a/api/http/handler/hostmanagement/fdo/profile_update.go
+++ b/api/http/handler/hostmanagement/fdo/profile_update.go
@@ -0,0 +1,67 @@
+package fdo
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+
+	httperror "github.com/portainer/libhttp/error"
+	"github.com/portainer/libhttp/request"
+	"github.com/portainer/libhttp/response"
+	portainer "github.com/portainer/portainer/api"
+)
+
+// @id updateProfile
+// @summary updates an existing FDO Profile
+// @description updates an existing FDO Profile
+// @description **Access policy**: administrator
+// @tags intel
+// @security jwt
+// @produce json
+// @success 200 "Success"
+// @failure 400 "Invalid request"
+// @failure 409 "Profile name already exists"
+// @failure 500 "Server error"
+// @router /fdo/profiles/{id} [put]
+func (handler *Handler) updateProfile(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	id, err := request.RetrieveNumericRouteVariableValue(r, "id")
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Bad request", errors.New("missing 'id' query parameter")}
+	}
+
+	var payload createProfileFromFileContentPayload
+	err = request.DecodeAndValidateJSONPayload(r, &payload)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusBadRequest, "Invalid request payload", err}
+	}
+
+	profile, err := handler.DataStore.FDOProfile().FDOProfile(portainer.FDOProfileID(id))
+	if handler.DataStore.IsErrObjectNotFound(err) {
+		return &httperror.HandlerError{http.StatusNotFound, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	} else if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to find a FDO Profile with the specified identifier inside the database", err}
+	}
+
+	isUnique, err := handler.checkUniqueProfileName(payload.Name, id)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, err.Error(), err}
+	}
+	if !isUnique {
+		return &httperror.HandlerError{http.StatusConflict, fmt.Sprintf("A profile with the name '%s' already exists", payload.Name), errors.New("a profile already exists with this name")}
+	}
+
+	filePath, err := handler.FileService.StoreFDOProfileFileFromBytes(strconv.Itoa(int(profile.ID)), []byte(payload.ProfileFileContent))
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update profile", err}
+	}
+	profile.FilePath = filePath
+	profile.Name = payload.Name
+
+	err = handler.DataStore.FDOProfile().Update(profile.ID, profile)
+	if err != nil {
+		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to update profile", err}
+	}
+
+	return response.JSON(w, profile)
+}
--- a/api/http/handler/hostmanagement/fdo/profiles.go
+++ b/api/http/handler/hostmanagement/fdo/profiles.go
@@ -1,40 +0,0 @@
-package fdo
-
-import (
-	"io"
-	"net/http"
-
-	httperror "github.com/portainer/libhttp/error"
-)
-
-// @id fdoProfiles
-// @summary retrieve a list of FDO profiles
-// @description retrieve a list of FDO profiles
-// @description **Access policy**: administrator
-// @tags intel
-// @security jwt
-// @produce json
-// @success 200 "Success"
-// @failure 400 "Invalid request"
-// @failure 403 "Permission denied to access settings"
-// @failure 500 "Server error"
-// @failure 500 "Bad gateway"
-// @router /fdo/profiles [get]
-func (handler *Handler) fdoProfiles(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
-	settings, err := handler.DataStore.Settings().Settings()
-	if err != nil {
-		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
-	}
-
-	profiles, err := http.Get(settings.FDOConfiguration.ProfilesURL)
-	if err != nil {
-		return &httperror.HandlerError{StatusCode: http.StatusBadGateway, Message: "Unabled to retrieve the profile list", Err: err}
-	}
-	defer profiles.Body.Close()
-
-	if _, err := io.Copy(w, profiles.Body); err != nil {
-		return &httperror.HandlerError{StatusCode: http.StatusBadGateway, Message: "Unabled to retrieve the profile list", Err: err}
-	}
-
-	return nil
-}
--- a/api/http/handler/hostmanagement/fdo/utils.go
+++ b/api/http/handler/hostmanagement/fdo/utils.go
@@ -0,0 +1,16 @@
+package fdo
+
+func (handler *Handler) checkUniqueProfileName(name string, id int) (bool, error) {
+	profiles, err := handler.DataStore.FDOProfile().FDOProfiles()
+	if err != nil {
+		return false, err
+	}
+
+	for _, profile := range profiles {
+		if profile.Name == name && (id == -1 || id != int(profile.ID)) {
+			return false, nil
+		}
+	}
+
+	return true, nil
+}
--- a/api/http/handler/hostmanagement/openamt/handler.go
+++ b/api/http/handler/hostmanagement/openamt/handler.go
@@ -21,7 +21,7 @@ type Handler struct {
 }

 // NewHandler returns a new Handler
-func NewHandler(bouncer *security.RequestBouncer) (*Handler, error) {
+func NewHandler(bouncer *security.RequestBouncer) *Handler {
 	h := &Handler{
 		Router: mux.NewRouter(),
 	}
@@ -33,5 +33,5 @@ func NewHandler(bouncer *security.RequestBouncer) (*Handler, error) {
 	h.Handle("/open_amt/{id}/devices/{deviceId}/action", bouncer.AdminAccess(httperror.LoggerHandler(h.deviceAction))).Methods(http.MethodPost)
 	h.Handle("/open_amt/{id}/devices/{deviceId}/features", bouncer.AdminAccess(httperror.LoggerHandler(h.deviceFeatures))).Methods(http.MethodPost)

-	return h, nil
+	return h
 }
--- a/api/http/handler/registries/registry_configure.go
+++ b/api/http/handler/registries/registry_configure.go
@@ -21,7 +21,7 @@ type registryConfigurePayload struct {
 	// Password used to authenticate against this registry. required when Authentication is true
 	Password string `example:"registry_password"`
 	// ECR region
-	Region  string
+	Region string
 	// Use TLS
 	TLS bool `example:"true"`
 	// Skip the verification of the server TLS certificate
--- a/api/http/handler/registries/registry_update.go
+++ b/api/http/handler/registries/registry_update.go
@@ -2,9 +2,10 @@ package registries

 import (
 	"errors"
-	"github.com/portainer/portainer/api/internal/endpointutils"
 	"net/http"

+	"github.com/portainer/portainer/api/internal/endpointutils"
+
 	httperror "github.com/portainer/libhttp/error"
 	"github.com/portainer/libhttp/request"
 	"github.com/portainer/libhttp/response"
@@ -25,13 +26,13 @@ type registryUpdatePayload struct {
 	// Username used to authenticate against this registry. Required when Authentication is true
 	Username *string `example:"registry_user"`
 	// Password used to authenticate against this registry. required when Authentication is true
-	Password         *string `example:"registry_password"`
+	Password *string `example:"registry_password"`
 	// Quay data
-	Quay             *portainer.QuayRegistryData
+	Quay *portainer.QuayRegistryData
 	// Registry access control
 	RegistryAccesses *portainer.RegistryAccesses `json:",omitempty"`
 	// ECR data
-	Ecr              *portainer.EcrData          `json:",omitempty"`
+	Ecr *portainer.EcrData `json:",omitempty"`
 }

 func (payload *registryUpdatePayload) Validate(r *http.Request) error {
--- a/api/http/handler/settings/settings_update.go
+++ b/api/http/handler/settings/settings_update.go
@@ -42,6 +42,10 @@ type settingsUpdatePayload struct {
 	HelmRepositoryURL *string `example:"https://charts.bitnami.com/bitnami"`
 	// Kubectl Shell Image
 	KubectlShellImage *string `example:"portainer/kubectl-shell:latest"`
+	// DisableTrustOnFirstConnect makes Portainer require explicit user trust of the edge agent before accepting the connection
+	DisableTrustOnFirstConnect *bool `example:"false"`
+	// EnforceEdgeID makes Portainer store the Edge ID instead of accepting anyone
+	EnforceEdgeID *bool `example:"false"`
 }

 func (payload *settingsUpdatePayload) Validate(r *http.Request) error {
@@ -162,6 +166,14 @@ func (handler *Handler) settingsUpdate(w http.ResponseWriter, r *http.Request) *
 		settings.EnableEdgeComputeFeatures = *payload.EnableEdgeComputeFeatures
 	}

+	if payload.DisableTrustOnFirstConnect != nil {
+		settings.DisableTrustOnFirstConnect = *payload.DisableTrustOnFirstConnect
+	}
+
+	if payload.EnforceEdgeID != nil {
+		settings.EnforceEdgeID = *payload.EnforceEdgeID
+	}
+
 	if payload.SnapshotInterval != nil && *payload.SnapshotInterval != settings.SnapshotInterval {
 		err := handler.updateSnapshotInterval(settings, *payload.SnapshotInterval)
 		if err != nil {
--- a/api/http/handler/stacks/create_compose_stack.go
+++ b/api/http/handler/stacks/create_compose_stack.go
@@ -129,7 +129,7 @@ func (handler *Handler) createComposeStackFromFileContent(w http.ResponseWriter,
 		return configErr
 	}

-	err = handler.deployComposeStack(config)
+	err = handler.deployComposeStack(config, false)
 	if err != nil {
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
 	}
@@ -283,7 +283,7 @@ func (handler *Handler) createComposeStackFromGitRepository(w http.ResponseWrite
 		return configErr
 	}

-	err = handler.deployComposeStack(config)
+	err = handler.deployComposeStack(config, false)
 	if err != nil {
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
 	}
@@ -394,7 +394,7 @@ func (handler *Handler) createComposeStackFromFileUpload(w http.ResponseWriter,
 		return configErr
 	}

-	err = handler.deployComposeStack(config)
+	err = handler.deployComposeStack(config, false)
 	if err != nil {
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
 	}
@@ -451,7 +451,7 @@ func (handler *Handler) createComposeDeployConfig(r *http.Request, stack *portai
 // to login/logout, which will generate the required data in the config.json file and then
 // clean it. Hence the use of the mutex.
 // We should contribute to libcompose to support authentication without using the config.json file.
-func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig) error {
+func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig, forceCreate bool) error {
 	isAdminOrEndpointAdmin, err := handler.userIsAdminOrEndpointAdmin(config.user, config.endpoint.ID)
 	if err != nil {
 		return errors.Wrap(err, "failed to check user priviliges deploying a stack")
@@ -480,5 +480,5 @@ func (handler *Handler) deployComposeStack(config *composeStackDeploymentConfig)
 		}
 	}

-	return handler.StackDeployer.DeployComposeStack(config.stack, config.endpoint, config.registries)
+	return handler.StackDeployer.DeployComposeStack(config.stack, config.endpoint, config.registries, forceCreate)
 }
--- a/api/http/handler/stacks/stack_migrate.go
+++ b/api/http/handler/stacks/stack_migrate.go
@@ -156,6 +156,14 @@ func (handler *Handler) stackMigrate(w http.ResponseWriter, r *http.Request) *ht
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: "Unable to persist the stack changes inside the database", Err: err}
 	}

+	if resourceControl != nil {
+		resourceControl.ResourceID = stackutils.ResourceControlID(stack.EndpointID, stack.Name)
+		err := handler.DataStore.ResourceControl().UpdateResourceControl(resourceControl.ID, resourceControl)
+		if err != nil {
+			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist the resource control changes", err}
+		}
+	}
+
 	if stack.GitConfig != nil && stack.GitConfig.Authentication != nil && stack.GitConfig.Authentication.Password != "" {
 		// sanitize password in the http response to minimise possible security leaks
 		stack.GitConfig.Authentication.Password = ""
@@ -177,7 +185,7 @@ func (handler *Handler) migrateComposeStack(r *http.Request, stack *portainer.St
 		return configErr
 	}

-	err := handler.deployComposeStack(config)
+	err := handler.deployComposeStack(config, false)
 	if err != nil {
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
 	}
--- a/api/http/handler/stacks/stack_start.go
+++ b/api/http/handler/stacks/stack_start.go
@@ -123,7 +123,7 @@ func (handler *Handler) stackStart(w http.ResponseWriter, r *http.Request) *http
 func (handler *Handler) startStack(stack *portainer.Stack, endpoint *portainer.Endpoint) error {
 	switch stack.Type {
 	case portainer.DockerComposeStack:
-		return handler.ComposeStackManager.Up(context.TODO(), stack, endpoint)
+		return handler.ComposeStackManager.Up(context.TODO(), stack, endpoint, false)
 	case portainer.DockerSwarmStack:
 		return handler.SwarmStackManager.Deploy(stack, true, endpoint)
 	}
--- a/api/http/handler/stacks/stack_update.go
+++ b/api/http/handler/stacks/stack_update.go
@@ -49,7 +49,7 @@ func (payload *updateSwarmStackPayload) Validate(r *http.Request) error {

 // @id StackUpdate
 // @summary Update a stack
-// @description Update a stack.
+// @description Update a stack, only for file based stacks.
 // @description **Access policy**: authenticated
 // @tags stacks
 // @security ApiKeyAuth
@@ -123,6 +123,15 @@ func (handler *Handler) stackUpdate(w http.ResponseWriter, r *http.Request) *htt
 		}
 	}

+	// Must not be git based stack. stop the auto update job if there is any
+	if stack.AutoUpdate != nil {
+		stopAutoupdate(stack.ID, stack.AutoUpdate.JobID, *handler.Scheduler)
+		stack.AutoUpdate = nil
+	}
+	if stack.GitConfig != nil {
+		stack.FromAppTemplate = true
+	}
+
 	updateError := handler.updateAndDeployStack(r, stack, endpoint)
 	if updateError != nil {
 		return updateError
@@ -181,7 +190,7 @@ func (handler *Handler) updateComposeStack(r *http.Request, stack *portainer.Sta
 		return configErr
 	}

-	err = handler.deployComposeStack(config)
+	err = handler.deployComposeStack(config, false)
 	if err != nil {
 		return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
 	}
--- a/api/http/handler/stacks/stack_update_git_redeploy.go
+++ b/api/http/handler/stacks/stack_update_git_redeploy.go
@@ -206,7 +206,7 @@ func (handler *Handler) deployStack(r *http.Request, stack *portainer.Stack, end
 			return httpErr
 		}

-		if err := handler.deployComposeStack(config); err != nil {
+		if err := handler.deployComposeStack(config, true); err != nil {
 			return &httperror.HandlerError{StatusCode: http.StatusInternalServerError, Message: err.Error(), Err: err}
 		}

--- a/api/http/handler/users/user_create.go
+++ b/api/http/handler/users/user_create.go
@@ -87,6 +87,12 @@ func (handler *Handler) userCreate(w http.ResponseWriter, r *http.Request) *http
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to retrieve settings from the database", err}
 	}

+	// when ldap/oauth is on, can only add users without password
+	if (settings.AuthenticationMethod == portainer.AuthenticationLDAP || settings.AuthenticationMethod == portainer.AuthenticationOAuth) && payload.Password != "" {
+		errMsg := "A user with password can not be created when authentication method is Oauth or LDAP"
+		return &httperror.HandlerError{http.StatusBadRequest, errMsg, errors.New(errMsg)}
+	}
+
 	if settings.AuthenticationMethod == portainer.AuthenticationInternal {
 		user.Password, err = handler.CryptoService.Hash(payload.Password)
 		if err != nil {
--- a/api/http/handler/webhooks/webhook_create.go
+++ b/api/http/handler/webhooks/webhook_create.go
@@ -2,9 +2,10 @@ package webhooks

 import (
 	"errors"
+	"net/http"
+
 	"github.com/portainer/portainer/api/http/security"
 	"github.com/portainer/portainer/api/internal/registryutils/access"
-	"net/http"

 	"github.com/asaskevich/govalidator"
 	"github.com/gofrs/uuid"
@@ -17,7 +18,7 @@ import (
 type webhookCreatePayload struct {
 	ResourceID  string
 	EndpointID  int
-	RegistryID portainer.RegistryID
+	RegistryID  portainer.RegistryID
 	WebhookType int
 }

--- a/api/http/handler/webhooks/webhook_execute.go
+++ b/api/http/handler/webhooks/webhook_execute.go
@@ -80,13 +80,13 @@ func (handler *Handler) executeServiceWebhook(
 	}

 	service.Spec.TaskTemplate.ForceUpdate++
-	
+
 	var imageName = strings.Split(service.Spec.TaskTemplate.ContainerSpec.Image, "@sha")[0]

 	if imageTag != "" {
 		var tagIndex = strings.LastIndex(imageName, ":")
 		if tagIndex == -1 {
-	  		tagIndex = len(imageName)
+			tagIndex = len(imageName)
 		}
 		service.Spec.TaskTemplate.ContainerSpec.Image = imageName[:tagIndex] + ":" + imageTag
 	} else {
--- a/api/http/proxy/factory/azure/containergroup.go
+++ b/api/http/proxy/factory/azure/containergroup.go
@@ -45,7 +45,11 @@ func (transport *Transport) proxyContainerGroupPutRequest(request *http.Request)
 	}

 	if validationResponse.StatusCode >= 200 && validationResponse.StatusCode < 300 {
-		resp := &http.Response{}
+		resp := &http.Response{
+			Header: http.Header{
+				http.CanonicalHeaderKey("content-type"): []string{"application/json"},
+			},
+		}
 		errObj := map[string]string{
 			"message": "A container instance with the same name already exists inside the selected resource group",
 		}
--- a/api/http/proxy/factory/docker/transport.go
+++ b/api/http/proxy/factory/docker/transport.go
@@ -16,6 +16,7 @@ import (

 	portainer "github.com/portainer/portainer/api"
 	"github.com/portainer/portainer/api/dataservices"
+	dataerrors "github.com/portainer/portainer/api/dataservices/errors"
 	"github.com/portainer/portainer/api/docker"
 	"github.com/portainer/portainer/api/http/proxy/factory/utils"
 	"github.com/portainer/portainer/api/http/security"
@@ -601,6 +602,10 @@ func (transport *Transport) executeGenericResourceDeletionOperation(request *htt
 	if response.StatusCode == http.StatusNoContent || response.StatusCode == http.StatusOK {
 		resourceControl, err := transport.dataStore.ResourceControl().ResourceControlByResourceIDAndType(resourceIdentifierAttribute, resourceType)
 		if err != nil {
+			if err == dataerrors.ErrObjectNotFound {
+				return response, nil
+			}
+
 			return response, err
 		}

--- a/api/http/proxy/factory/kubernetes/deployments.go
+++ b/api/http/proxy/factory/kubernetes/deployments.go
@@ -12,4 +12,4 @@ func (transport *baseTransport) proxyDeploymentsRequest(request *http.Request, n
 	default:
 		return transport.executeKubernetesRequest(request)
 	}
-}
+}
--- a/api/http/proxy/factory/kubernetes/pods.go
+++ b/api/http/proxy/factory/kubernetes/pods.go
@@ -12,4 +12,4 @@ func (transport *baseTransport) proxyPodsRequest(request *http.Request, namespac
 	default:
 		return transport.executeKubernetesRequest(request)
 	}
-}
+}
--- a/api/http/proxy/factory/kubernetes/refresh_registry.go
+++ b/api/http/proxy/factory/kubernetes/refresh_registry.go
@@ -1,8 +1,9 @@
 package kubernetes

 import (
-	"github.com/portainer/portainer/api/internal/registryutils"
 	"net/http"
+
+	"github.com/portainer/portainer/api/internal/registryutils"
 )

 func (transport *baseTransport) refreshRegistry(request *http.Request, namespace string) (err error) {
@@ -14,4 +15,4 @@ func (transport *baseTransport) refreshRegistry(request *http.Request, namespace
 	err = registryutils.RefreshEcrSecret(cli, transport.endpoint, transport.dataStore, namespace)

 	return
-}
+}
--- a/api/http/security/bouncer.go
+++ b/api/http/security/bouncer.go
@@ -2,6 +2,7 @@ package security

 import (
 	"errors"
+	"fmt"
 	"net/http"
 	"strings"
 	"time"
@@ -134,6 +135,19 @@ func (bouncer *RequestBouncer) AuthorizedEdgeEndpointOperation(r *http.Request,
 		return errors.New("invalid Edge identifier")
 	}

+	if endpoint.LastCheckInDate > 0 || endpoint.UserTrusted {
+		return nil
+	}
+
+	settings, err := bouncer.dataStore.Settings().Settings()
+	if err != nil {
+		return fmt.Errorf("could not retrieve the settings: %w", err)
+	}
+
+	if settings.DisableTrustOnFirstConnect {
+		return errors.New("the device has not been trusted yet")
+	}
+
 	return nil
 }

--- a/api/http/server.go
+++ b/api/http/server.go
@@ -210,17 +210,12 @@ func (server *Server) Start() error {
 	var sslHandler = sslhandler.NewHandler(requestBouncer)
 	sslHandler.SSLService = server.SSLService

-	openAMTHandler, err := openamt.NewHandler(requestBouncer)
-	if err != nil {
-		return err
-	}
-	if openAMTHandler != nil {
-		openAMTHandler.OpenAMTService = server.OpenAMTService
-		openAMTHandler.DataStore = server.DataStore
-		openAMTHandler.DockerClientFactory = server.DockerClientFactory
-	}
+	openAMTHandler := openamt.NewHandler(requestBouncer)
+	openAMTHandler.OpenAMTService = server.OpenAMTService
+	openAMTHandler.DataStore = server.DataStore
+	openAMTHandler.DockerClientFactory = server.DockerClientFactory

-	fdoHandler := fdo.NewHandler(requestBouncer, server.DataStore)
+	fdoHandler := fdo.NewHandler(requestBouncer, server.DataStore, server.FileService)

 	var stackHandler = stacks.NewHandler(requestBouncer)
 	stackHandler.DataStore = server.DataStore
--- a/api/internal/snapshot/snapshot.go
+++ b/api/internal/snapshot/snapshot.go
@@ -23,21 +23,39 @@ type Service struct {
 }

 // NewService creates a new instance of a service
-func NewService(snapshotInterval string, dataStore dataservices.DataStore, dockerSnapshotter portainer.DockerSnapshotter, kubernetesSnapshotter portainer.KubernetesSnapshotter, shutdownCtx context.Context) (*Service, error) {
-	snapshotFrequency, err := time.ParseDuration(snapshotInterval)
+func NewService(snapshotIntervalFromFlag string, dataStore dataservices.DataStore, dockerSnapshotter portainer.DockerSnapshotter, kubernetesSnapshotter portainer.KubernetesSnapshotter, shutdownCtx context.Context) (*Service, error) {
+	snapshotFrequency, err := parseSnapshotFrequency(snapshotIntervalFromFlag, dataStore)
 	if err != nil {
 		return nil, err
 	}

 	return &Service{
 		dataStore:                 dataStore,
-		snapshotIntervalInSeconds: snapshotFrequency.Seconds(),
+		snapshotIntervalInSeconds: snapshotFrequency,
 		dockerSnapshotter:         dockerSnapshotter,
 		kubernetesSnapshotter:     kubernetesSnapshotter,
 		shutdownCtx:               shutdownCtx,
 	}, nil
 }

+func parseSnapshotFrequency(snapshotInterval string, dataStore dataservices.DataStore) (float64, error) {
+	if snapshotInterval == "" {
+		settings, err := dataStore.Settings().Settings()
+		if err != nil {
+			return 0, err
+		}
+		snapshotInterval = settings.SnapshotInterval
+		if snapshotInterval == "" {
+			snapshotInterval = portainer.DefaultSnapshotInterval
+		}
+	}
+	snapshotFrequency, err := time.ParseDuration(snapshotInterval)
+	if err != nil {
+		return 0, err
+	}
+	return snapshotFrequency.Seconds(), nil
+}
+
 // Start will start a background routine to execute periodic snapshots of environments(endpoints)
 func (service *Service) Start() {
 	if service.refreshSignal != nil {
--- a/api/internal/testhelpers/datastore.go
+++ b/api/internal/testhelpers/datastore.go
@@ -4,6 +4,7 @@ import (
 	"io"

 	portainer "github.com/portainer/portainer/api"
+	"github.com/portainer/portainer/api/database"
 	"github.com/portainer/portainer/api/dataservices"
 	"github.com/portainer/portainer/api/dataservices/errors"
 )
@@ -16,6 +17,7 @@ type testDatastore struct {
 	endpoint                dataservices.EndpointService
 	endpointGroup           dataservices.EndpointGroupService
 	endpointRelation        dataservices.EndpointRelationService
+	fdoProfile              dataservices.FDOProfileService
 	helmUserRepository      dataservices.HelmUserRepositoryService
 	registry                dataservices.RegistryService
 	resourceControl         dataservices.ResourceControlService
@@ -31,6 +33,7 @@ type testDatastore struct {
 	user                    dataservices.UserService
 	version                 dataservices.VersionService
 	webhook                 dataservices.WebhookService
+	connection              portainer.Connection
 }

 func (d *testDatastore) BackupTo(io.Writer) error                           { return nil }
@@ -46,6 +49,9 @@ func (d *testDatastore) EdgeJob() dataservices.EdgeJobService               { re
 func (d *testDatastore) EdgeStack() dataservices.EdgeStackService           { return d.edgeStack }
 func (d *testDatastore) Endpoint() dataservices.EndpointService             { return d.endpoint }
 func (d *testDatastore) EndpointGroup() dataservices.EndpointGroupService   { return d.endpointGroup }
+func (d *testDatastore) FDOProfile() dataservices.FDOProfileService {
+	return d.fdoProfile
+}
 func (d *testDatastore) EndpointRelation() dataservices.EndpointRelationService {
 	return d.endpointRelation
 }
@@ -75,6 +81,10 @@ func (d *testDatastore) IsErrObjectNotFound(e error) bool {
 	return false
 }

+func (d *testDatastore) Connection() portainer.Connection {
+	return d.connection
+}
+
 func (d *testDatastore) Export(filename string) (err error) {
 	return nil
 }
@@ -87,10 +97,12 @@ type datastoreOption = func(d *testDatastore)
 // NewDatastore creates new instance of testDatastore.
 // Will apply options before returning, opts will be applied from left to right.
 func NewDatastore(options ...datastoreOption) *testDatastore {
-	d := testDatastore{}
+	conn, _ := database.NewDatabase("boltdb", "", nil)
+	d := testDatastore{connection: conn}
 	for _, o := range options {
 		o(&d)
 	}
+
 	return &d
 }

--- a/api/kubernetes/cli/client.go
+++ b/api/kubernetes/cli/client.go
@@ -50,7 +50,7 @@ func (factory *ClientFactory) GetInstanceID() (instanceID string) {
 }

 // Remove the cached kube client so a new one can be created
- func (factory *ClientFactory) RemoveKubeClient(endpointID portainer.EndpointID) {
+func (factory *ClientFactory) RemoveKubeClient(endpointID portainer.EndpointID) {
 	factory.endpointClients.Remove(strconv.Itoa(int(endpointID)))
 }

--- a/api/kubernetes/cli/registries.go
+++ b/api/kubernetes/cli/registries.go
@@ -16,8 +16,8 @@ import (

 const (
 	secretDockerConfigKey = ".dockerconfigjson"
-	labelRegistryType = "io.portainer.kubernetes.registry.type"
-	annotationRegistryID = "portainer.io/registry.id"
+	labelRegistryType     = "io.portainer.kubernetes.registry.type"
+	annotationRegistryID  = "portainer.io/registry.id"
 )

 type (
--- a/api/portainer.go
+++ b/api/portainer.go
@@ -78,7 +78,17 @@ type (
 		OwnerURL      string `json:"ownerURL"`
 		OwnerUsername string `json:"ownerUsername"`
 		OwnerPassword string `json:"ownerPassword"`
-		ProfilesURL   string `json:"profilesURL"`
+	}
+
+	// FDOProfileID represents a fdo profile id
+	FDOProfileID int
+
+	FDOProfile struct {
+		ID            FDOProfileID `json:"id"`
+		Name          string       `json:"name"`
+		FilePath      string       `json:"filePath"`
+		NumberDevices int          `json:"numberDevices"`
+		DateCreated   int64        `json:"dateCreated"`
 	}

 	// CLIFlags represents the available flags on the CLI
@@ -111,6 +121,10 @@ type (
 		Rollback                  *bool
 		SnapshotInterval          *string
 		BaseURL                   *string
+		InitialMmapSize           *int
+		MaxBatchSize              *int
+		MaxBatchDelay             *time.Duration
+		SecretKeyName             *string
 	}

 	// CustomTemplate represents a custom template
@@ -314,6 +328,8 @@ type (
 		LastCheckInDate int64
 		// IsEdgeDevice marks if the environment was created as an EdgeDevice
 		IsEdgeDevice bool
+		// Whether the device has been trusted or not by the user
+		UserTrusted bool

 		// Deprecated fields
 		// Deprecated in DBVersion == 4
@@ -803,6 +819,10 @@ type (
 		HelmRepositoryURL string `json:"HelmRepositoryURL" example:"https://charts.bitnami.com/bitnami"`
 		// KubectlImage, defaults to portainer/kubectl-shell
 		KubectlShellImage string `json:"KubectlShellImage" example:"portainer/kubectl-shell"`
+		// DisableTrustOnFirstConnect makes Portainer require explicit user trust of the edge agent before accepting the connection
+		DisableTrustOnFirstConnect bool `json:"DisableTrustOnFirstConnect" example:"false"`
+		// EnforceEdgeID makes Portainer store the Edge ID instead of accepting anyone
+		EnforceEdgeID bool `json:"EnforceEdgeID" example:"false"`

 		// Deprecated fields
 		DisplayDonationHeader       bool
@@ -1169,7 +1189,7 @@ type (
 	ComposeStackManager interface {
 		ComposeSyntaxMaxVersion() string
 		NormalizeStackName(name string) string
-		Up(ctx context.Context, stack *Stack, endpoint *Endpoint) error
+		Up(ctx context.Context, stack *Stack, endpoint *Endpoint, forceRereate bool) error
 		Down(ctx context.Context, stack *Stack, endpoint *Endpoint) error
 	}

@@ -1227,6 +1247,7 @@ type (
 		GetDefaultSSLCertsPath() (string, string)
 		StoreSSLCertPair(cert, key []byte) (string, string, error)
 		CopySSLCertPair(certPath, keyPath string) (string, string, error)
+		StoreFDOProfileFileFromBytes(fdoProfileIdentifier string, data []byte) (string, error)
 	}

 	// GitService represents a service for managing Git
@@ -1326,7 +1347,7 @@ type (

 const (
 	// APIVersion is the version number of the Portainer API
-	APIVersion = "2.11.0"
+	APIVersion = "2.11.1"
 	// DBVersion is the version number of the Portainer database
 	DBVersion = 35
 	// ComposeSyntaxMaxVersion is a maximum supported version of the docker compose syntax
@@ -1354,6 +1375,8 @@ const (
 	// PortainerAgentSignatureMessage represents the message used to create a digital signature
 	// to be used when communicating with an agent
 	PortainerAgentSignatureMessage = "Portainer-App"
+	// DefaultSnapshotInterval represents the default interval between each environment snapshot job
+	DefaultSnapshotInterval = "5m"
 	// DefaultEdgeAgentCheckinIntervalInSeconds represents the default interval (in seconds) used by Edge agents to checkin with the Portainer instance
 	DefaultEdgeAgentCheckinIntervalInSeconds = 5
 	// DefaultTemplatesURL represents the URL to the official templates supported by Portainer
--- a/api/stacks/deploy.go
+++ b/api/stacks/deploy.go
@@ -21,6 +21,8 @@ func (e *StackAuthorMissingErr) Error() string {
 	return fmt.Sprintf("stack's %v author %s is missing", e.stackID, e.authorName)
 }

+// RedeployWhenChanged pull and redeploy the stack when git repo changed
+// Stack will always be redeployed if force deployment is set to true
 func RedeployWhenChanged(stackID portainer.StackID, deployer StackDeployer, datastore dataservices.DataStore, gitService portainer.GitService) error {
 	logger := log.WithFields(log.Fields{"stackID": stackID})
 	logger.Debug("redeploying stack")
@@ -87,7 +89,7 @@ func RedeployWhenChanged(stackID portainer.StackID, deployer StackDeployer, data

 	switch stack.Type {
 	case portainer.DockerComposeStack:
-		err := deployer.DeployComposeStack(stack, endpoint, registries)
+		err := deployer.DeployComposeStack(stack, endpoint, registries, false)
 		if err != nil {
 			return errors.WithMessagef(err, "failed to deploy a docker compose stack %v", stackID)
 		}
--- a/api/stacks/deploy_test.go
+++ b/api/stacks/deploy_test.go
@@ -32,7 +32,7 @@ func (s *noopDeployer) DeploySwarmStack(stack *portainer.Stack, endpoint *portai
 	return nil
 }

-func (s *noopDeployer) DeployComposeStack(stack *portainer.Stack, endpoint *portainer.Endpoint, registries []portainer.Registry) error {
+func (s *noopDeployer) DeployComposeStack(stack *portainer.Stack, endpoint *portainer.Endpoint, registries []portainer.Registry, forceRereate bool) error {
 	return nil
 }

--- a/api/stacks/deployer.go
+++ b/api/stacks/deployer.go
@@ -14,7 +14,7 @@ import (

 type StackDeployer interface {
 	DeploySwarmStack(stack *portainer.Stack, endpoint *portainer.Endpoint, registries []portainer.Registry, prune bool) error
-	DeployComposeStack(stack *portainer.Stack, endpoint *portainer.Endpoint, registries []portainer.Registry) error
+	DeployComposeStack(stack *portainer.Stack, endpoint *portainer.Endpoint, registries []portainer.Registry, forceRereate bool) error
 	DeployKubernetesStack(stack *portainer.Stack, endpoint *portainer.Endpoint, user *portainer.User) error
 }

@@ -45,14 +45,14 @@ func (d *stackDeployer) DeploySwarmStack(stack *portainer.Stack, endpoint *porta
 	return d.swarmStackManager.Deploy(stack, prune, endpoint)
 }

-func (d *stackDeployer) DeployComposeStack(stack *portainer.Stack, endpoint *portainer.Endpoint, registries []portainer.Registry) error {
+func (d *stackDeployer) DeployComposeStack(stack *portainer.Stack, endpoint *portainer.Endpoint, registries []portainer.Registry, forceRereate bool) error {
 	d.lock.Lock()
 	defer d.lock.Unlock()

 	d.swarmStackManager.Login(registries, endpoint)
 	defer d.swarmStackManager.Logout(endpoint)

-	return d.composeStackManager.Up(context.TODO(), stack, endpoint)
+	return d.composeStackManager.Up(context.TODO(), stack, endpoint, forceRereate)
 }

 func (d *stackDeployer) DeployKubernetesStack(stack *portainer.Stack, endpoint *portainer.Endpoint, user *portainer.User) error {
--- a/app/agent/components/file-uploader/fileUploader.html
+++ b/app/agent/components/file-uploader/fileUploader.html
@@ -1,3 +1,3 @@
 <button type="button" ngf-select="$ctrl.onFileSelected($file)" class="btn ng-scope" button-spinner="$ctrl.state.uploadInProgress">
-  <i style="margin: 0;" class="fa fa-upload" ng-if="!$ctrl.state.uploadInProgress"></i>
+  <i style="margin: 0" class="fa fa-upload" ng-if="!$ctrl.state.uploadInProgress"></i>
 </button>
--- a/app/agent/components/files-datatable/filesDatatable.html
+++ b/app/agent/components/files-datatable/filesDatatable.html
@@ -41,9 +41,7 @@
                  <i class="fa fa-sort-alpha-up" aria-hidden="true" ng-if="$ctrl.state.orderBy === 'ModTime' && $ctrl.state.reverseOrder"></i>
                </a>
              </th>
-              <th>
-                Actions
-              </th>
+              <th> Actions </th>
            </tr>
          </thead>
          <tbody>
--- a/app/assets/css/app.css
+++ b/app/assets/css/app.css
@@ -680,6 +680,7 @@ a[ng-click] {
 .image-zoom-modal .modal-dialog {
  width: 80%;
 }
+
 /*!bootbox override*/

 /*angular-multi-select override*/
@@ -902,6 +903,7 @@ json-tree .branch-preview {
  margin-left: 0.25rem;
 }

+/* used for bootbox prompt with inputType radio */
 .form-check.radio {
  margin-left: 15px;
 }
--- a/app/assets/css/theme.css
+++ b/app/assets/css/theme.css
@@ -339,7 +339,7 @@ html {
  --text-body-color: var(--white-color);
  --text-sidebar-title-color: var(--grey-8);
  --text-widget-header-color: var(--white-color);
-  --text-form-control-color: var(--grey-8);
+  --text-form-control-color: var(--white-color);
  --text-muted-color: var(--grey-8);
  --text-link-color: var(--blue-9);
  --text-link-hover-color: var(--blue-2);
@@ -365,7 +365,7 @@ html {
  --text-blocklist-item-selected-color: var(--white-color);
  --text-progress-bar-color: var(--white-color);
  --text-pagination-color: var(--white-color);
-  --text-pagination-span-color: var(--white-color);
+  --text-pagination-span-color: var(--blue-2);
  --text-pagination-span-hover-color: var(--white-color);
  --text-ui-select-color: var(--white-color);
  --text-ui-select-hover-color: var(--white-color);
@@ -547,6 +547,8 @@ html {
  --text-button-hover-color: var(--white-color);
  --text-btn-default-color: var(--white-color);
  --text-small-select-color: var(--white-color);
+  --text-multiselect-item-color: var(--white-color);
+  --text-pagination-span-color: var(--blue-2);

  --border-color: var(--grey-55);
  --border-widget-color: var(--white-color);
--- a/app/assets/ico/manifest.json
+++ b/app/assets/ico/manifest.json
@@ -1,18 +1,18 @@
 {
-    "name": "Portainer",
-    "icons": [
-        {
-            "src": "ico/android-chrome-192x192.png",
-            "sizes": "192x192",
-            "type": "image/png"
-        },
-        {
-            "src": "ico/android-chrome-256x256.png",
-            "sizes": "256x256",
-            "type": "image/png"
-        }
-    ],
-    "theme_color": "#ffffff",
-    "background_color": "#ffffff",
-    "display": "standalone"
-}
+  "name": "Portainer",
+  "icons": [
+    {
+      "src": "ico/android-chrome-192x192.png",
+      "sizes": "192x192",
+      "type": "image/png"
+    },
+    {
+      "src": "ico/android-chrome-256x256.png",
+      "sizes": "256x256",
+      "type": "image/png"
+    }
+  ],
+  "theme_color": "#ffffff",
+  "background_color": "#ffffff",
+  "display": "standalone"
+}
--- a/app/azure/components/azure-endpoint-config/azureEndpointConfig.html
+++ b/app/azure/components/azure-endpoint-config/azureEndpointConfig.html
@@ -1,7 +1,5 @@
 <div>
-  <div class="col-sm-12 form-section-title">
-    Azure configuration
-  </div>
+  <div class="col-sm-12 form-section-title"> Azure configuration </div>
  <!-- applicationId-input -->
  <div class="form-group">
    <label for="azure_credential_appid" class="col-sm-3 col-lg-2 control-label text-left">Application ID</label>
--- a/app/azure/components/datatables/containergroups-datatable/containerGroupsDatatable.html
+++ b/app/azure/components/datatables/containergroups-datatable/containerGroupsDatatable.html
@@ -2,7 +2,7 @@
  <rd-widget>
    <rd-widget-body classes="no-padding">
      <div class="toolBar">
-        <div class="toolBarTitle"> <i class="fa" ng-class="$ctrl.titleIcon" aria-hidden="true" style="margin-right: 2px;"></i> {{ $ctrl.titleText }} </div>
+        <div class="toolBarTitle"> <i class="fa" ng-class="$ctrl.titleIcon" aria-hidden="true" style="margin-right: 2px"></i> {{ $ctrl.titleText }} </div>
      </div>
      <div class="actionBar">
        <button type="button" class="btn btn-sm btn-danger" ng-disabled="$ctrl.state.selectedItemCount === 0" ng-click="$ctrl.removeAction($ctrl.state.selectedItems)">
@@ -46,9 +46,7 @@
                  <i class="fa fa-sort-alpha-up" aria-hidden="true" ng-if="$ctrl.state.orderBy === 'Location' && $ctrl.state.reverseOrder"></i>
                </a>
              </th>
-              <th>
-                Published Ports
-              </th>
+              <th> Published Ports </th>
              <th>
                <a ng-click="$ctrl.changeOrderBy('ResourceControl.Ownership')">
                  Ownership
@@ -98,9 +96,7 @@
        <div class="paginationControls">
          <form class="form-inline">
            <span class="limitSelector">
-              <span style="margin-right: 5px;">
-                Items per page
-              </span>
+              <span style="margin-right: 5px"> Items per page </span>
              <select class="form-control" ng-model="$ctrl.state.paginatedItemLimit" ng-change="$ctrl.changePaginationLimit()" data-cy="component-paginationSelect">
                <option value="0">All</option>
                <option value="10">10</option>
--- a/app/azure/views/containerinstances/container-instance-details/containerInstanceDetails.html
+++ b/app/azure/views/containerinstances/container-instance-details/containerInstanceDetails.html
@@ -8,9 +8,7 @@
    <rd-widget>
      <rd-widget-body>
        <div class="form-horizontal" autocomplete="off">
-          <div class="col-sm-12 form-section-title">
-            Azure settings
-          </div>
+          <div class="col-sm-12 form-section-title"> Azure settings </div>
          <!-- subscription-input -->
          <div class="form-group">
            <label for="azure_subscription" class="col-sm-2 control-label text-left">Subscription</label>
@@ -35,9 +33,7 @@
            </div>
          </div>
          <!-- !location-input -->
-          <div class="col-sm-12 form-section-title">
-            Container configuration
-          </div>
+          <div class="col-sm-12 form-section-title"> Container configuration </div>
          <!-- name-input -->
          <div class="form-group">
            <label for="container_name" class="col-sm-2 control-label text-left">Name</label>
@@ -68,15 +64,15 @@
              <label class="control-label text-left">Port mapping</label>
            </div>
            <!-- port-mapping-input-list -->
-            <div class="col-sm-12 form-inline" style="margin-top: 10px;">
-              <div ng-repeat="binding in $ctrl.container.Ports" style="margin-top: 2px;">
+            <div class="col-sm-12 form-inline" style="margin-top: 10px">
+              <div ng-repeat="binding in $ctrl.container.Ports" style="margin-top: 2px">
                <!-- host-port -->
                <div class="input-group col-sm-4 input-group-sm">
                  <span class="input-group-addon">host</span>
                  <input type="text" class="form-control" ng-model="binding.host" placeholder="e.g. 80" disabled />
                </div>
                <!-- !host-port -->
-                <span style="margin: 0 10px 0 10px;">
+                <span style="margin: 0 10px 0 10px">
                  <i class="fa fa-long-arrow-alt-right" aria-hidden="true"></i>
                </span>
                <!-- container-port -->
@@ -100,17 +96,13 @@
          <!-- !port-mapping -->
          <!-- public-ip -->
          <div class="form-group" ng-if="$ctrl.container.AllocatePublicIP">
-            <label for="public_ip" class="col-sm-2 control-label text-left">
-              Public IP
-            </label>
+            <label for="public_ip" class="col-sm-2 control-label text-left"> Public IP </label>
            <div class="col-sm-10">
              <input type="text" class="form-control" ng-model="$ctrl.container.IPAddress" disabled />
            </div>
          </div>
          <!-- public-ip -->
-          <div class="col-sm-12 form-section-title">
-            Container resources
-          </div>
+          <div class="col-sm-12 form-section-title"> Container resources </div>
          <!-- cpu-input -->
          <div class="form-group">
            <label for="container_cpu" class="col-sm-2 control-label text-left">CPU</label>
--- a/app/azure/views/containerinstances/create/createcontainerinstance.html
+++ b/app/azure/views/containerinstances/create/createcontainerinstance.html
@@ -8,9 +8,7 @@
    <rd-widget>
      <rd-widget-body>
        <form class="form-horizontal" autocomplete="off" name="aciForm">
-          <div class="col-sm-12 form-section-title">
-            Azure settings
-          </div>
+          <div class="col-sm-12 form-section-title"> Azure settings </div>
          <!-- subscription-input -->
          <div class="form-group">
            <label for="azure_subscription" class="col-sm-1 control-label text-left">Subscription</label>
@@ -46,9 +44,7 @@
            </div>
          </div>
          <!-- !location-input -->
-          <div class="col-sm-12 form-section-title">
-            Container configuration
-          </div>
+          <div class="col-sm-12 form-section-title"> Container configuration </div>
          <!-- name-input -->
          <div class="form-group">
            <label for="container_name" class="col-sm-1 control-label text-left">Name</label>
@@ -94,20 +90,20 @@
          <div class="form-group">
            <div class="col-sm-12">
              <label class="control-label text-left">Port mapping</label>
-              <span class="label label-default interactive" style="margin-left: 10px;" ng-click="addPortBinding()">
+              <span class="label label-default interactive" style="margin-left: 10px" ng-click="addPortBinding()">
                <i class="fa fa-plus-circle" aria-hidden="true"></i> map additional port
              </span>
            </div>
            <!-- port-mapping-input-list -->
-            <div class="col-sm-12 form-inline" style="margin-top: 10px;">
-              <div ng-repeat="binding in model.Ports" style="margin-top: 2px;">
+            <div class="col-sm-12 form-inline" style="margin-top: 10px">
+              <div ng-repeat="binding in model.Ports" style="margin-top: 2px">
                <!-- host-port -->
                <div class="input-group col-sm-4 input-group-sm">
                  <span class="input-group-addon">host</span>
                  <input type="text" class="form-control" ng-model="binding.host" placeholder="e.g. 80" />
                </div>
                <!-- !host-port -->
-                <span style="margin: 0 10px 0 10px;">
+                <span style="margin: 0 10px 0 10px">
                  <i class="fa fa-long-arrow-alt-right" aria-hidden="true"></i>
                </span>
                <!-- container-port -->
@@ -138,9 +134,7 @@
          </div>
          <!-- public-ip -->

-          <div class="col-sm-12 form-section-title">
-            Container resources
-          </div>
+          <div class="col-sm-12 form-section-title"> Container resources </div>
          <!-- cpu-input -->
          <div class="form-group">
            <label for="container_cpu" class="col-sm-1 control-label text-left">CPU</label>
@@ -161,16 +155,14 @@
          <por-access-control-form form-data="model.AccessControlData"></por-access-control-form>
          <!-- !access-control -->
          <!-- actions -->
-          <div class="col-sm-12 form-section-title">
-            Actions
-          </div>
+          <div class="col-sm-12 form-section-title"> Actions </div>
          <div class="form-group">
            <div class="col-sm-12">
              <button type="button" class="btn btn-primary btn-sm" ng-disabled="state.actionInProgress" ng-click="create()" button-spinner="state.actionInProgress">
                <span ng-hide="state.actionInProgress">Deploy the container</span>
                <span ng-show="state.actionInProgress">Deployment in progress...</span>
              </button>
-              <span class="text-danger" ng-if="state.formValidationError" style="margin-left: 5px;">{{ state.formValidationError }}</span>
+              <span class="text-danger" ng-if="state.formValidationError" style="margin-left: 5px">{{ state.formValidationError }}</span>
            </div>
          </div>
          <!-- !actions -->
--- a/app/docker/__module.js
+++ b/app/docker/__module.js
@@ -1,8 +1,9 @@
 import angular from 'angular';

 import containersModule from './containers';
+import { componentsModule } from './components';

-angular.module('portainer.docker', ['portainer.app', containersModule]).config([
+angular.module('portainer.docker', ['portainer.app', containersModule, componentsModule]).config([
  '$stateRegistryProvider',
  function ($stateRegistryProvider) {
    'use strict';
--- a/Show More
+++ b/Show More