Password encryption
User Guide
On this page
Related content
- No related content found
All passwords for external systems stored in Crowd are encrypted by default.
The password encryption functionality is available starting from CROWD 4.2.
If you're an upgrading user, your passwords stored in Crowd will be encrypted automatically during upgrade to Crowd 4.2 or later.
Staring from Crowd 4.2, it's crucial to make sure you back up your encryption keys. Without them you won't be able to properly restore Crowd from backup.
The keys are stored in the shared folder {crowdHome}/shared/keys. To back up the keys, copy the mentioned directory to a secure place.
To correctly restore from backup with encrypted passwords, corresponding keys must be present in the {crowdHome}/shared/keys
, otherwise Crowd won’t be able to decrypt passwords.
Here's the complete list of sensitive data which Crowd encrypts:
LDAP directory password
Remote Crowd directory application password
Microsoft Entra ID web application key
SMTP mail password
Proxy password
FAQ
Crowd can encrypt your password using the following algorithm:
- AES/CBC/PKCS5Padding
Yes. Password encryption is enabled by default in Crowd 4.2. To disable it, issue the admin authenticated PUT request to the following URL {baseUrl}/rest/admin/1.0/encryption/disable
To reenable password encryption, follow the procedure for changing the encryption algorithm.
For security reasons, we recommend rotating the encryption key at least once per year. If the security key is leaked, you must rotate it immediately.
Issue admin authenticated PUT request to the following url {baseUrl}/rest/admin/1.0/encryption/changeKey
.
Existing data will be automatically re-encrypted using new encryption key.
Rest endpoints support both basic authentication and Crowd token key (usually crowd.token_key
). Depending on configuration, Crowd might not allow to re-use token key cookie on IP address different than the initial one.
If the encryption key is missing, Crowd won’t be able to decrypt passwords. All passwords will have to be restored manually.
If your admin account comes from remote directory, admin won’t be able to authenticate. In such case Crowd will need to be started in recovery mode to restore passwords manually. See Using recovery mode.
You should consider disabling password encryption only if you notice that this functionality is causing you problems with the upgrade.
-Dcrowd.encryption.upgrade.disabled=true
.
For higher security, please restrict filesystem permission for {crowdHome}/shared/keys
so that only Crowd user (on all nodes) have access to this directory.
Related content
- No related content found