Encrypting passwords in Unravel properties and settings

Unravel Server includes a command-line utility, pw_encrypt.sh, that can encrypt passwords (or anything alpha-numeric property value deemed sensitive).

Sample run of pw_encrypt.sh:

sudo /usr/local/unravel/install_bin/pw_encrypt.sh

The text you enter on the keyboard will not be displayed. After you press Enter (Return key), it displays a message like:


This result, including the ENC() part, can be put into /usr/local/unravel/etc/unravel.properties instead of the verbatim (unencrypted) raw password.

How it works

The file /usr/local/unravel/etc/entropy contains random text that is used to do encryption. This file is created only once during installation (or upgrade, if missing) using strong random numbers only available locally. If the entropy value is changed, stored encrypted passwords will become invalid. Salt is included so that if two passwords are identical, the encrypted texts are not in order to avoid inadvertently revealing clues.

Passwords are redacted from diagnostic or logs reports, but even if the encrypted form was accidentally transmitted or visible in an online meeting because the entropy file is never included, the encrypted value would be impossible to decrypt.