Master Key can be retrieved by using a Temporary Master Key #1706

jmguzmanc · 2021-05-21T20:57:19Z

jmguzmanc
May 21, 2021

Hi

From the docs I read:

For the temporary master key generation the real master password is encrypted using a secure key generated by openssl_random_pseudo_bytes. Then a Blowfish generated hash of it is stored in the database “”Config” table.” in order to check it when the temporary master key is provided on login.

So, a user with access to tha database, could be able to decrypt the master key from the temporary maste key?

nuxsmin · 2021-05-30T11:13:56Z

nuxsmin
May 30, 2021
Maintainer

Hi,

So, a user with access to tha database, could be able to decrypt the master key from the temporary maste key?

Partially yes, because the master key is encrypted using a secure key that is protected by the "password" sent to the user as "temporary master password", so the user would need to unlock the secure key and then decrypt the master key.

Regards

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Master Key can be retrieved by using a Temporary Master Key #1706

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Master Key can be retrieved by using a Temporary Master Key #1706

jmguzmanc May 21, 2021

Replies: 1 comment

nuxsmin May 30, 2021 Maintainer

jmguzmanc
May 21, 2021

nuxsmin
May 30, 2021
Maintainer