7. Storing secrets in DynFi database

7.1. What is “a secret”?

To connect to various devices, DynFi has to authenticate. For example, in order to establish SSH connection to a device, DynFi has to use a password or a SSH private key. Also, to send e-mails, DynFi needs to authenticate to SMTP server. All these passwords and private keys are called “secrets” below.

7.2. Default storage format

By default secrets in DynFi’s database are kept in unencrypted way.

7.3. How to turn on encryption of secrets in the database?

To turn on encryption of the secrets in the DynFi’s database, it is enough to specify encryptionPassword option in DynFi’s configuration. For example, it can be added to configuration file (default /etc/dynfi.conf) the following way:

encryptionPassword=my_very_L0ng_and_R4ndom_encryption_P@SSWORD

When DynFi starts next time, it will detect that encryptionPassword has been specified and secrets in the database are not encrypted, so it will encrypt all secrets during this start-up. It is advised to create database backup before.

For other ways of tuning the configuration, refer to Configuration chapter.

7.4. How to change encryption password?

Once the encryption password has been set in configuration, it cannot be changed without migrating encrypted secrets from being encrypted using old password to being encrypted using new password. In case you need to change your encryption password (e.g. because it has been compromised), it is possible using DynFi.

To migrate to new encryption password, stop DynFi first. (It is advised to create database backup too.) Then run DynFi’s encryption wizard to change or drop encryption password (you can also specify path to your custom configuration file if not using the default location):

java -jar /path/to/dynfi.jar changeEncryptionPassword [--config /path/to/my/custom_dynfi.conf]

To navigate, use arrows and tab keys, select using [Enter] key. First, the wizard will inform which database is used:

_images/encryption_wizard_intro.png

Encryption wizard intro

In case of databases in which secrets are not encrypted, the wizard will only allow entering new password twice:

_images/encryption_wizard_no_current_password.png

Encryption wizard with not encrypted secrets

In case of databases in which secrets are already encrypted, the wizard will also require the current (old) password:

_images/encryption_wizard_current_password_required.png

Encryption wizard with encrypted secrets

In order to set or update encryption password, enter the new encryption password twice and select <Set new password>:

_images/encryption_wizard_set_new_password.png

Encryption wizard new password required twice

The conversion will not begin if not confirmed:

_images/encryption_wizard_new_password_confirmation.png

Encryption wizard confirmation before conversion

Next, progress can observed (if there are many secrets and conversion takes a while):

_images/encryption_wizard_progress.png

Encryption wizard conversion progress

After completing the conversion, it is confirmed by the wizard.

_images/encryption_wizard_done.png

Encryption wizard conversion finished confirmation

Now the new encryptionPassword has to be set in DynFi’s configuration.

If the encryption password should be not used any longer, the wizard allows that too. To do that, just select <Remove password> button and follow very similar procedure. After completion, do not forget to remove encryptionPassword from DynFi’s Configuration.

7.5. I have lost my encryption password

In case the encryption password has been lost or forgotten, there is no way to recover that in DynFi. If the secrets in database are encrypted and the encryption password has not been provided or is incorrect, DynFi will not start.

7.6. How are user passwords stored?

User passwords (i.e. the passwords that are used by users to log in) are stored in a different way, using password hashing algorithm bcrypt. The default cost of bcrypt hashing (“the strength of the hash”) can be overridden in configuration using bcryptCost option, e.g.

bcryptCost=14

Be aware, that incrementing the bcryptCost by one should double the CPU time needed to hash and verify password. Also, the cost factor of already stored users’ passwords is not changed until the password is changed. Therefore in order to increase “hash strength” after increasing bcryptCost, a user has to change the password.

Please note that your password will never be secure (even using the most sophisticated cryptography solutions), if it is easy to guess. Avoid easy passwords, especially if they can be find in dictionaries. Use small and upper caps, digits and special characters to increase the strength of your password. Never use the same password in two or more systems.