# Encryption
Chevereto uses ChaCha20 (opens new window) algorithm to cipher secrets and sensitive data. When enabled, Chevereto will store these values encrypted in the database.
Requires manual update
Encryption in Chevereto was added in v4.0.0-beta.10. If you installed Chevereto prior to this release you will require to manually enable encryption.
# What is encrypted?
# Settings secrets
The following settings are encrypted in the database:
| Setting | Key |
|---|---|
| API V1 key (public) | api_v1_key |
| Album password | album_password |
| SMTP server (opens new window) | email_smtp_server |
| SMTP port | email_smtp_server_port |
| SMTP username (opens new window) | email_smtp_server_username |
| SMTP password (opens new window) | email_smtp_server_password |
| reCAPTCHA secret key (opens new window) | recaptcha_private_key |
| Disqus secret key (opens new window) | disqus_secret_key |
| Akismet API key (opens new window) | akismet_api_key |
| ModerateContent API Key (opens new window) | moderatecontent_key |
| Project Arachnid API Username (opens new window) | arachnid_api_username |
| Project Arachnid API Password (opens new window) | arachnid_api_password |
# Storage credentials
The following storage columns for chv_storages are encrypted in the database:
- server
- service
- account_id
- account_name
- key
- secret
- bucket
# Two-factor secrets
Two-factor secret codes used to generate TOTP are encrypted in the database. Table chv_two_factors.
# Key
The encryption key is base64 encoded random string of size 32. To generate a key use openssl:
openssl rand -base64 32
# Key security
Handle the encryption key with the same discretion of a password.
- The encryption key should remain private.
- Don't re-use the same key in different installations.
- Backup the key in a safe location.
# Enabling encryption
To enable encryption provide the CHEVERETO_ENCRYPTION_KEY environment variable.
This key is automatic provided on setup, stored in the app/env.php file.
# From previous versions
Chevereto installations previous the introduction of encryption will require to manually cipher the existing data. This is a one time process that encrypts the plain text data stored in the database.
To manually enable encryption:
- Enable maintenance (opens new window) mode.
- Configure the
CHEVERETO_ENCRYPTION_KEYvariable. - Run encrypt-secrets command.
- Disable maintenance mode.
# Disabling encryption
When disabling encryption all the cipher texts stored in the database will be reverted to its plain text value.
To disable encryption:
- Enable maintenance (opens new window) mode.
- Run decrypt-secrets command.
- Configure the
CHEVERETO_ENCRYPTION_KEYvariable to empty string. - Disable maintenance mode.