Password encryption in Pandora FMS
Pandora FMS supports database-stored password encryption. The encryption key is generated from a user-provided password and is not stored in the database (neither the key nor the password) so that passwords cannot be recovered from a database dump. Once the password is configured, encryption is visible for the user.
If you lose the password given by the user, you will not be able to recover the password stored in Pandora FMS Database. Save this password in a safe place and make a backup of:
Passwords are encrypted using the Rijndael encryption with 128 bit blocks in ECB mode. A 256 bit key is generated at startup from the password MD5.
Configuration in a newly installed Pandora FMS
To enable password encryption, the password must be configured in both Pandora FMS Server and Pandora FMS Console.
The steps for encryption are the following:
- Stop both Metaconsole and node servers.
- Update encryption_passphrase in
/var/www/html/pandora_console/include/config.phpboth in the node and Metaconsole.
$config["encryption_passphrase"]="your encryption passphrase";
- Launch the encryption script both in the node and Metaconsole.
Do not forget to restart Pandora FMS Server after saving the changes and launching the script.
Configuration in an existing Pandora FMS installation
This section is only relevant if you wish to update from version 743 to version 744. If that is not the case, encrypt it as if it were new.
Configure password encryption following the steps required for a newly installed Pandora FMS. At this point, any new passwords configured in the Pandora FMS Console will be stored in the database encrypted, but already existing passwords must be encrypted too. To that end, follow these steps:
- Stop both the Metaconsole and node servers.
- Launch the decryption script both in the Metaconsole as well as the node>
/usr/bin/pandora_encrypt_db -d -m /etc/pandora/pandora_server.conf
- Launch the encryption script both in the node and the Metaconsole:
- Restart the Metaconsole and node servers.
The script cannot be executed twice, otherwise passwords would get corrupted.
It is important to keep in mind that the -m parameter must be added to decrypt only old passwords. If that parameter is not added to previously encrypted databases, passwords will be lost.
Changing the encryption password
Changing the encryption password is possible in case it gets compromised. First, passwords stored within the database must be decrypted:
/usr/bin/pandora_encrypt_db -d /etc/pandora/pandora_server.conf
Then, after changing the encryption password (as described in the configuration in a newly installed Pandora FMS section), they can be encrypted again:
From 7.0NG.739 onwards, safe credential management is included.
In case of having an encrypted database available, to be able to keep using the credential manager without losing data, decrypt everything except for the table tcredential_store
For that purpose, execute the following commands:
/usr/bin/pandora_encrypt_db -d -c /etc/pandora/pandora_server.conf
Leave everything decrypted.
Once decrypted, encrypt it again:
If you only wish to encrypt from scratch, just execute the last command.
Removing encryption password
It is recommended to keep the whole password stored in Pandora FMS encrypted.
- Stop the server, both in Metaconsole and node.
- Comment encryption_passphrase in
/var/www/html/pandora_console/include/config.phptode in node and Metaconsole.
# $config["encryption_passphrase"]="your encryption passphrase";
- Launch the decryption script both in node and Metaconsole.
/usr/bin/pandora_encrypt_db -d -e /etc/pandora/pandora_server.conf
Rmember to restart Pandora FMS server after making the changes and launching the script.