Skip to content

Sensitive data encryption

Starting with Resilio Active Everywhere v3.6.0, it's possible to configure advanced security for MC and Agents installations.

Resilio Management Console

The Management Console can encrypt sensitive data in its database.

Danger

Encryption is irreversible. There's no option to disable encryption once it has been enabled.

By default, the encryption of sensitive data for the Management Console is disabled, relying on the security measures built into the operating system. But it's possible to set a passphrase manually for data encryption with environment variable.

To enable encryption:

  1. Stop the Management Console.

  2. Add a system environment variable RESILIO_MPASSWD with a value that will be the password used for encryption.

    Warning

    This password must not be change later, otherwise the MC won't be able to decrypt the data. There are no requirements to length and complexity of the password string from Resilio’s side.

    • Windows: Go to system settings -> Environment Variables - > System Variables and create a new variable.
    • Linux: You can set environment variable directly in srvctrl startup script or in your .service file.

Tip

To customize the variable's name, add the following section to the Console configuration file. Do this while the MC is down, and be sure to preserve JSON format.

"security":
{"mpasswd_env":"preferred_variable_name"}

The data is encrypted/decrypted with an aes256 key derived from the password variable.

Backup your password

If the password is lost for any reason (like due to migration or accidental deletion) - your Management Console will not be able to start and there will be no way to recover it. The Management Console will record the failed decryption in the common.log file. Make sure to backup your password using whatever system your company already offers for safe keeping of encryption password. Example would be 1password or a similar password management solutions.

The Management Console encrypts the following information:

  • Bootstrap tokens
  • API tokens
  • SMTP, LDAP, Azure AD, ID Anywhere configuration
  • Emails in notification center
  • Object storage connectors data
  • Webhooks data
  • Management Console users
  • Secrets for jobs/transfers
  • Password hashes and salts for Management Console users

Resilio Agents

Agents encrypt sensitive data in their settings file.

Danger

Encryption is irreversible. There's no option to disable encryption once it has been enabled.

The Resilio Agents will encrypt sensitive data by default either right after the upgrade or during a clean installation.

The Agent encrypts the data with aes256cbc key and relies on existing security means provided by OS or hardware. When no security means like TPM or keychain is available (for example, on a cloud instance or inside a docker container), encryption is to be configured manually using an environment variable. The encryption mechanisms fallback sequence is as follows:

  • Data Protection API for Windows machines.
  • Mac Keychain for Mac computers.
  • TPM tools for Linux and Linux based machines.
  • Hardware ID when the above is not available (for example, NAS devices).
  • System environment variable RESILIO_KEY and set some password string as value (must be used on a VM, Docker containers or servers where none of the above is expected to exist or is randomized).

To enable encryption using a system environment variable:

  1. Set environment variable RESILIO_KEY with some password string as value. This password will be used for encryption. It must not be changed later, otherwise Agent won't be able to decrypt the data. There are no requirements to length and complexity of this string from Resilio’s side. In cluster setup (per this guide) be sure to use the same key for all cluster nodes. Otherwise the Agent won't be authorized on the MC after the cluster failover.
  2. Restart agent service/daemon once done. Agent may show an error about inability to decrypt its data, it is expected and reset on a next Agent restart.
  3. Approve the Agent if it asks for approval or just restart the Agent to clear the error. Current encryption mechanism can be seen in the Agent UI in its settings.

Decrypting the storage

Resilio Agent relies on system means to secure the decryption keys:

  • Windows: AES256 key is encrypted with CryptProtectData with settings supporting roaming profile.
  • Mac: AES256 decryption key is stored encrypted with a random key stored in local keychain.
  • Linux: keys are sealed in TMP 2.0 via tpm2-tools. If it's not available (e.g. a NAS device), Agent calculates hash of machineID (learned from /etc/machine-id, /var/lib/dbus/machine-id or specific sources on NAS devices). Then it's used as input to the SHA-256 hashing function. The resulting 256-bit digest serves as the key for AES-256 decryption.
  • Manual encryption via environment variable: decryption key is passed via the variable.

Agent wipes decryption keys from memory when not used.

If the Agent cannot decrypt sensitive data for any reason (for example - machine migration, cloning, user account change etc.) it will show a decryption error in Agent UI and will request approval on Management Console. The Agent will retain all the configured jobs and their state, but won't manage to participate in those jobs till admin approves the agent.

Agent encrypts the following information:

  • Job keys
  • Cloud access keys
  • Management Console authorization token (individual for each agent)

Limitations and peculiarities

  • With enabled encryption migrating the Management Console and/or Agents to a different server is not supported unless environment variable is used and the key is also migrated to the new server. Otherwise, the encrypted data won't be decrypted on the new hardware.
  • With encryption enabled performance may decrease.
  • Docker containers only support environment variable as encryption means. It is mandatory to set environment variable for agents running in docker containter, otherwise agents will report inability to decrypt on every container restart.