# ð Encryption
Chevereto uses ChaCha20 (opens new window) algorithm to cipher secrets and sensitive data. When enabled, Chevereto will store these values encrypted in the database.
Requires manual update
Encryption in Chevereto was added in v4.0.0-beta.10
. If you installed Chevereto prior to this release you will require to manually enable encryption.
# What is encrypted?
# Settings secrets
The following setting secrets are encrypted in the database:
Setting | Key |
---|---|
SMTP server and port (opens new window) | email_smtp_server |
SMTP server and port | email_smtp_server_port |
SMTP username (opens new window) | email_smtp_server_username |
SMTP password (opens new window) | email_smtp_server_password |
reCAPTCHA secret key (opens new window) | recaptcha_private_key |
Disqus secret key (opens new window) | disqus_secret_key |
Akismet API key (opens new window) | akismet_api_key |
ModerateContent API Key (opens new window) | moderatecontent_key |
Project Arachnid API Key (opens new window) | arachnid_key |
XR Debug Host (opens new window) | xr_host |
XR Debug Port (opens new window) | xr_port |
XR Debug Key | xr_key |
# Storage credentials
The following storage columns are encrypted in the database:
Table chv_storages |
---|
server |
service |
account_id |
account_name |
key |
secret |
bucket |
# Two-factor secrets
Two-factor secret codes are encrypted in the database.
# Key
The encryption key is base64 encoded random string of size 32. To generate a key use openssl
:
openssl rand -base64 32
# Key security
- The encryption key should remain private.
- Don't re-use the same key in different installations.
- Backup the key in a safe location.
# Enabling encryption
To enable encryption provide the CHEVERETO_ENCRYPTION_KEY environment variable.
ðŠķ This key is automatic provided when using HTTP setup, stored in the env.php file.
# From previous versions
Chevereto installations previous the introduction of encryption will require to manually cipher the existing data. This is a one time process that encrypts the plain text data stored in the database.
To manually enable encryption:
- Enable maintenance (opens new window) mode.
- Configure the
CHEVERETO_ENCRYPTION_KEY
variable. - Run encrypt-secrets command.
- Disable maintenance mode.
# Disabling encryption
To disable encryption:
- Enable maintenance (opens new window) mode.
- Run decrypt-secrets command.
- Configure the
CHEVERETO_ENCRYPTION_KEY
variable to empty string. - Disable maintenance mode.
â ðŧ CLI ð Errors â