[RADIATOR] AuthBy SQLTOTP with encrypted secrets (RcryptKey)
Heikki Vatiainen
hvn at open.com.au
Mon Sep 18 15:00:42 UTC 2023
On 12.9.2023 15.21, Schnurrenberger Tobias (ID) via radiator wrote:
> Is it somehow possible to store the shared secret in the SQL database in Rcrypt encrypted format and tell radiator to decrypt it whit the given key? I could not find such configuration options in the docs.
> Could it be done e.g. with a hook?
Hello Tobias,
currently this is not possible. There's no hook or other transformation
possibility for the shared secret.
One option you could consider is encrypting the CB column that holds the
shared secret. I think it's even possible to create a view, or function,
that decrypts the value when Radiator selects it from the DB. This could
be used to hide the encryption/decryption key completely from Radiator
configuration because the transformation is done on the DB side.
> We are using radiator version 4.27-1 with this config snippet:
> AuthSelect SELECT base32_decode_to_hex(secret), active, pin, digits, bad_logins, accessed, last_timestep, algorithm, timestep, timestep_origin from RADIUS_TOTP_KEYS WHERE username=?
If base32_decode_to_hex() is already a local function you have created,
then adding something similar for decrypting the value during the select
might be worth experimenting with.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
More information about the radiator
mailing list