7. Storing secrets in DynFi database¶
7.1. What is “a secret”?¶
To connect to various devices, DynFi has to authenticate. For example, in order to establish SSH connection to a device, DynFi has to use a password or a SSH private key. Also, to send e-mails, DynFi needs to authenticate to SMTP server. All these passwords and private keys are called “secrets” below.
7.2. Default storage format¶
By default secrets in DynFi’s database are kept in unencrypted way.
7.3. How to turn on encryption of secrets in the database?¶
To turn on encryption of the secrets in the DynFi’s database, it is enough to specify
encryptionPassword option in
DynFi’s configuration. For example, it can be added to configuration file (default
/etc/dynfi.conf) the following way:
When DynFi starts next time, it will detect that
encryptionPassword has been specified and secrets in the database
are not encrypted, so it will encrypt all secrets during this start-up.
It is advised to create database backup before.
For other ways of tuning the configuration, refer to Configuration chapter.
7.4. How to change encryption password?¶
Once the encryption password has been set in configuration, it cannot be changed without migrating encrypted secrets from being encrypted using old password to being encrypted using new password. In case you need to change your encryption password (e.g. because it has been compromised), it is possible using DynFi.
To migrate to new encryption password, stop DynFi first. (It is advised to create database backup too.) Then run DynFi’s encryption wizard to change or drop encryption password (you can also specify path to your custom configuration file if not using the default location):
java -jar /path/to/dynfi.jar changeEncryptionPassword [--config /path/to/my/custom_dynfi.conf]
To navigate, use arrows and tab keys, select using [Enter] key. First, the wizard will inform which database is used:
In case of databases in which secrets are not encrypted, the wizard will only allow entering new password twice:
In case of databases in which secrets are already encrypted, the wizard will also require the current (old) password:
In order to set or update encryption password, enter the new encryption password twice and select <Set new password>:
The conversion will not begin if not confirmed:
Next, progress can observed (if there are many secrets and conversion takes a while):
After completing the conversion, it is confirmed by the wizard.
Now the new
encryptionPassword has to be set in DynFi’s configuration.
If the encryption password should be not used any longer, the wizard allows that too. To do that, just select <Remove password> button and follow very similar procedure. After completion, do not forget to remove encryptionPassword from DynFi’s Configuration.
7.5. I have lost my encryption password¶
In case the encryption password has been lost or forgotten, there is no way to recover that in DynFi. If the secrets in database are encrypted and the encryption password has not been provided or is incorrect, DynFi will not start.
7.6. How are user passwords stored?¶
User passwords (i.e. the passwords that are used by users to log in) are stored in a different way, using password
hashing algorithm bcrypt. The default cost of bcrypt hashing (“the strength of the hash”) can be overridden in configuration
bcryptCost option, e.g.
Be aware, that incrementing the
bcryptCost by one should double the CPU time needed to hash and verify password.
Also, the cost factor of already stored users’ passwords is not changed until the password is changed. Therefore in order to
increase “hash strength” after increasing
bcryptCost, a user has to change the password.
Please note that your password will never be secure (even using the most sophisticated cryptography solutions), if it is easy to guess. Avoid easy passwords, especially if they can be find in dictionaries. Use small and upper caps, digits and special characters to increase the strength of your password. Never use the same password in two or more systems.