[RADIATOR] AuthBy SQLTOTP with encrypted secrets (RcryptKey)

Heikki Vatiainen hvn at open.com.au
Mon Sep 18 15:00:42 UTC 2023

On 12.9.2023 15.21, Schnurrenberger Tobias (ID) via radiator wrote:

> Is it somehow possible to store the shared secret in the SQL database in Rcrypt encrypted format and tell radiator to decrypt it whit the given key? I could not find such configuration options in the docs.
> Could it be done e.g. with a hook?

Hello Tobias,

currently this is not possible. There's no hook or other transformation 
possibility for the shared secret.

One option you could consider is encrypting the CB column that holds the 
shared secret. I think it's even possible to create a view, or function, 
that decrypts the value when Radiator selects it from the DB. This could 
be used to hide the encryption/decryption key completely from Radiator 
configuration because the transformation is done on the DB side.

> We are using radiator version 4.27-1 with this config snippet:

> AuthSelect SELECT base32_decode_to_hex(secret), active, pin, digits, bad_logins, accessed, last_timestep, algorithm, timestep, timestep_origin from RADIUS_TOTP_KEYS WHERE username=?

If base32_decode_to_hex() is already a local function you have created, 
then adding something similar for decrypting the value during the select 
might be worth experimenting with.


Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software

More information about the radiator mailing list