Starting with Resilio Connect v3.6.0, it's possible to configure advanced security for MC and Agents installations.
Basically, the following is available:
1. Increased security of TLS connection between agents using ATA-token (Agent-to-Agent token)
2. MC can encrypt sensitive data in its database
3. Agents encrypt sensitive data in their settings file
4. Limitations and peculiarities
The Resilio Management Console can encrypt sensitive data in its database
By default encryption of sensitive data for the Management Console is disabled, relying on OS security. But it's possible to set passphrase manually for data encryption with environment variable.
To enable it
- Stop the Management Console
- Add environment variable RESILIO_MPASSWD and with some password string as value. This password will be used for encryption. It must not be changed later, otherwise MC won't be able to decrypt the data. There are no requirements to length and complexity of this string from Resilio’s side.
- Windows: go to system settings -> Environment Variables - > System Variables and create a new variable
- Linux: you can set environment variable directly in srvctrl startup script or in your .service file.
To customize the variable name, add the following section to the Console configuration file. Do this while MC is down, and be sure to preserve json format.
"security":
{"mpasswd_env":"preferred_variable_name"}
Be sure to store the value of the variable securely somewhere, since if it's lost there is no way to recover Management Console state.
The data is encrypted/decrypted with an aes256 key derived from the variable's password.
Backup your password
Warning: If the password is lost for any reason (like due to migration or accidental deletion) - your Management Console will not be able to start and there will be no way to recover it. The Management Console will record the failed decryption in the common.log file. Please make sure to backup your password using whatever system your company already offers for safe keeping of encryption password. Example would be 1password or other password management systems.The Management Console encrypts the following information with a key stored in the database.
- Bootstrap tokens
- API tokens
- SMTP, LDAP, Azure AD, ID Anywhere configuration
- Emails in notification center
- Object storage connectors data
- Webhooks data
- Management Console users
- Secrets for jobs / transfers
- Password hashes and salts for Management Console users
Agents encrypt sensitive data in their settings file
The Resilio Agents will encrypt sensitive data by default either right after the upgrade or during a clean installation.
The Agent encrypts the data with aes256cbc key and relies existing security means provided by OS or hardware. When no security means like TPM or keychain is available, for example, on a cloud instance or inside a docker container, encryption is to be configured manually with environment variable. Generally, the fallback sequence is the following:
- Data Protection API for Windows machines.
- Mac Keychain for Mac computers
- TPM tools for Linux and Linux based machines
- Hardware ID when above is not available (like NAS devices)
- System environment variable
RESILIO_KEYand set some password string as value (must be used on a VM, Docker containers or servers where none of the above is expected to exist or is randomized)
To enable encrypting manually with system variable follow the steps:
- Set environment variable
RESILIO_KEYwith some password string as value. This password will be used for encryption. It must not be changed later, otherwise Agent won't be able to decrypt the data. There are no requirements to length and complexity of this string from Resilio’s side.
In cluster setup (per this guide) be sure to use the same key for all cluster nodes. Otherwise the Agent won't be authorized on the MC after the cluster failover. - Restart agent service / daemon once done. Agent may show an error about inability to decrypt its data, it is expected and reset on a next Agent restart.
- Approve the Agent if it asks for approval or just restart the Agent to clear the error.
Current encryption mechanism can be seen in the Agent UI in its settings.
Decrypting the storage.
Resilio Agent relies on system means to secure the decryption keys:
- Windows: AES256 key is encrypted with CryptProtectData with settings supporting roaming profile.
- Mac: AES256 decryption key is stored encrypted with a random key stored in local keychain.
- Linux: keys are sealed in TMP 2.0 via tpm2-tools. If it's not available (e.g. a NAS device), Agent calculates hash of machineID (learned from /etc/machine-id, /var/lib/dbus/machine-id or specific sources on NAS devices). Then it's used as input to the SHA-256 hashing function. The resulting 256-bit digest serves as the key for AES-256 decryption.
- Manual encryption via environment variable: decryption key is passed via the variable.
Agent wipes decryption keys from memory when not used.
If the Agent cannot decrypt sensitive data for any reason (for example - machine migration, cloning, user account change etc.) it will show a decryption error in Agent UI and will request approval on Management Console. The Agent will retain all the configured jobs and their state, but won't manage to participate in those jobs till admin approves the agent.
Agent encrypts the following information:
- Job keys
- Cloud access keys
- Management Console authorization token (individual for each agent)
Limitations and peculiarities
1. With enabled encryption migrating the Management Console and/or Agents to a different server is not supported unless environment variable is used and the key is also migrated to the new server. Otherwise, the encrypted data won't be decrypted on the new hardware.
2. With encryption enabled performance may decrease.
3. Docker containers only support environment variable as encryption means. It is mandatory to set environment variable for agents running in docker containter, otherwise agents will report inability to decrypt on every container restart.