Encrypting Passwords in the Database

Last updated 2 minutes ago

Learn how to encrypt passwords stored in the database.

LightbulbWhat you'll learn

  • Encrypt your passwords stored in the database

Person reading a bookPrerequisites

  • A CoreMedia system
  • Knowledge about the CoreMedia system's file structure, configuration, and operation

WristwatchTime matters

Encrypting the passwords will take 5-10 minutes. For a Replication Live Server you must wait for the initial replication.

Person in front of a laptopShould I read this?

This guide is for Developers, Administrators.
Table of Contents

Using the cm encryptpasswords utility will encrypt all passwords (to be more strict, the hash values of the passwords) stored in the database with a 256-bit key on basis of the AES algorithm (Rijndael).

When starting the utility, make sure that the corresponding CoreMedia Content Server is not running.

Encrypting the passwords of a Replication Live Server needs slightly more care:

  1. Set the property replicator.enable to false.

  2. Start the server.

  3. Wait until the initial replication is complete.

  4. Stop the server.

  5. Encrypt the passwords with cm encryptpasswords.

  6. Set the property replicator.enable back to true.

The utility program is executed with:

cm encryptpasswords -encrypt

During operation, the utility writes some output to indicate the progress of encryption.

The generated key is written to the file $INSTALL_DIR/etc/keys/<databasename>.<dbuser>.rijndael.

Do not delete this key file and instead make sure that a backup exists in a safe place. Without the file, it is no longer possible to log in.

You must copy this file to the Content Server installation under $INSTALL_DIR/etc/keys. The path can be configured by setting the property cap.server.encrypt-passwords-key-file.

If you want to install a new server and you still want to use the old database, the key file from the old installation must be present in the new installation. Likewise, if you want to install and use a new database you must delete the key file. Otherwise, the program would try to decrypt the new decrypted passwords.

When the utility is used more than once, the passwords will be re-encrypted with a new key.

Decrypting the Passwords

If you want to revert to decrypted passwords, run the following command and remove the key file from the server installation afterwards:

cm encryptpasswords -decrypt
Copyright © 2021 CoreMedia GmbH, CoreMedia Corporation. All Rights Reserved.