Password encryption

All passwords for external systems stored in Crowd are encrypted by default.

The password encryption functionality is available starting from CROWD 4.2.

If you're an upgrading user, your passwords stored in Crowd will be encrypted automatically during upgrade to Crowd 4.2 or later.

Staring from Crowd 4.2 it's crucial to make sure you backup your encryption keys. Without them you won't be able to properly restore Crowd from backup.

How do I backup and restore keys?

The keys are stored in the shared folder {crowdHome}/shared/keys. To backup the keys copy the mentioned directory to the secure place.


To correctly restore from backup with encrypted passwords, corresponding keys must be present in the {crowdHome}/shared/keys, otherwise Crowd won’t be able to decrypt passwords.


Here's the complete list of sensitive data which Crowd encrypts: 

  • LDAP directory password

  • Remote Crowd directory application password

  • Azure AD web application key

  • SMTP mail password

  • Proxy password


FAQ

How do I change the encryption algorithm?

Crowd can encrypt your password using one of the following algorithms:

  • AES/CBC/PKCS5Padding (default)
  • DES/CBC/PKCS5Padding

  • DESede/CBC/PKCS5Padding

To change the default encryption algorithm:
  1. Issue the admin authenticated PUT request to the following URL:

    {baseUrl}/rest/admin/1.0/encryption/encryptor.
  2. Set content type to application/json.
  3. Set body to algorithm name.

List of available names can be found through GET request to {baseUrl}/rest/admin/1.0/encryption

Can I disable password encryption?

Yes. Password encryption is enabled by default in Crowd 4.2. To disable it, issue the admin authenticated PUT request to the following URL {baseUrl}/rest/admin/1.0/encryption/disable

The password encryption will be disabled and your existing data will be automatically decrypted.

To reenable your password encryption, follow the procedure for changing the encryption algorithm.

How do I rotate the encryption key?

For security reasons, we recommend rotating the encryption key at least once per year. If the security key is leaked, you must rotate it immediately.


Issue admin authenticated PUT request to the following url {baseUrl}/rest/admin/1.0/encryption/changeKey .

Existing data will be automatically re-encrypted using new encryption key.

How do I issue authenticated request to the mentioned endpoints?

Rest endpoints support both basic authentication and Crowd token key (usually crowd.token_key). Depending on configuration, Crowd might not allow to re-use token key cookie on IP address different than the initial one.

How do I recover when I lost my encryption key?

If the encryption key is missing, Crowd won’t be able to decrypt passwords. All passwords will have to be restored manually.

If your admin account comes from remote directory, admin won’t be able to authenticate. In such case Crowd will need to be started in recovery mode to restore passwords manually. See Using recovery mode.

How do I disable encryption during upgrade?

You should consider disabling password encryption only if you notice that this functionality is causing you problems with the upgrade.

To disable password encryption during upgrade:

Start Crowd with the following flag -Dcrowd.encryption.upgrade.disabled=true

How can I be sure that my encryption key is safe?

For higher security, please restrict filesystem permission  for {crowdHome}/shared/keys so that only Crowd user (on all nodes) have access to this directory.




Last modified on Nov 18, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.