-
Notifications
You must be signed in to change notification settings - Fork 0
Security
All Cindi clusters store a Symmetric key used for encryption and decryption of secrets in steps. This key is stored in memory and is required before the cluster can start normal functions.
The encryption key is not persisted to storage however a one-way hashed string is persisted to the DB and is used to verify the encryption key on next startup.
User passwords are one-way hashed using the PBKDF2 algorithm based on Microsoft.AspNetCore.Cryptography.KeyDerivation.
Key Length: 256-bit key
Salt: Passwords are salted using a set of random 16 bytes
Hash Function:* SHA-256
Iterations*: 10000
Bot keys are made up of 6 components
| Component | Purpose |
|---|---|
| HashedIdKey | Hashed Secret Id key used for a bot to uniquely identify itself against Cindi |
| HashedIdKeySalt | Salt used for the Id Key |
| SecretEncryptionKey | Asymmetric encryption key used for encrypting passwords before sending steps to bots |
| BotName | Changeable logical name |
| Id | Safe identifier used to reference the bot in the database |
| IsDisabled | Whether the key can be used |
Step secrets are decryptable by the original creator of the secret. The exception is a referenced secret, referenced secrets cannot be decrypted.