# 🔑 Encryption

Chevereto uses ChaCha20 (opens new window) algorithm to cipher secrets and sensitive data. When enabled, Chevereto will store these values encrypted in the database.

Requires manual update

Encryption in Chevereto was added in v4.0.0-beta.10. If you installed Chevereto prior to this release you will require to manually enable encryption.

# What is encrypted?

# Settings secrets

The following setting secrets are encrypted in the database:

Setting Key
SMTP server and port (opens new window) email_smtp_server
SMTP server and port email_smtp_server_port
SMTP username (opens new window) email_smtp_server_username
SMTP password (opens new window) email_smtp_server_password
reCAPTCHA secret key (opens new window) recaptcha_private_key
Disqus secret key (opens new window) disqus_secret_key
Akismet API key (opens new window) akismet_api_key
ModerateContent API Key (opens new window) moderatecontent_key
Project Arachnid API Key (opens new window) arachnid_key
XR Debug Host (opens new window) xr_host
XR Debug Port (opens new window) xr_port
XR Debug Key xr_key

# Storage credentials

The following storage columns are encrypted in the database:

Table chv_storages
server
service
account_id
account_name
key
secret
bucket

# Two-factor secrets

Two-factor secret codes are encrypted in the database.

# Key

The encryption key is base64 encoded random string of size 32. To generate a key use openssl:

openssl rand -base64 32

# Key security

  • The encryption key should remain private.
  • Don't re-use the same key in different installations.
  • Backup the key in a safe location.

# Enabling encryption

To enable encryption provide the CHEVERETO_ENCRYPTION_KEY environment variable.

ðŸŠķ This key is automatic provided when using HTTP setup, stored in the env.php file.

# From previous versions

Chevereto installations previous the introduction of encryption will require to manually cipher the existing data. This is a one time process that encrypts the plain text data stored in the database.

To manually enable encryption:

# Disabling encryption

To disable encryption: