Loading...
 
Skip to main content

History: User Encryption

View published page

Source of version: 37 (current)

Copy to clipboard
            See also ((Shared Secrets))

^ As of 2014-07-29, this is a tool for developers only. You need to write code for the external system to access the information. See developer documentation at ((dev:User Encryption)). The system is designed so that encryption can later be implemented for data in Tiki (files, tracker items, etc.)  ^ 

! User Encryption

User encryption aims to a provide secure, personal storage of sensitive data, e.g. external usernames and passwords.


!! About User Encryption
When linking multiple systems together, it is often required to have a username and a password for the target system available, in order to login. The other system can be an external database, a web service, etc.

User Encryption enables secure storage of such external log-in credentials. ===The decryption key is __not __stored by Tiki===, and it is only available when the user is logged in.

Notes:
* This is a new an experimental feature in ((Tiki13|Tiki 13)) and has been [http://sourceforge.net/p/tikiwiki/code/51166|backported] for ((Tiki12|Tiki 12.2)), so it is available (as experimental) in the LTS version
* Use the Domain Password module to allow the user to specify username and password
* CryptLib must be integrated by coding to access the domain. CryptLib provides the decrypted domain credentials

See also ((dev:User Encryption)).

!! Password Domains
Each linked system makes up a "password domain". Multiple users can log in to a domain. A password domain has a name. The name must be unique.

The interface to a linked system, uses the password domain name to look-up a user's credentials for the system.

The module "Domain Password", prompts the user for a password. 
The password is encrypted and saved associated with the domain specified in the module.

!!! Configuring Password domains
Configure in the Admin / Security panel.
{REMARKSBOX(type="warning" title="Make sure OpenSSL (Tiki18+) / Mcrypt (Tiki pre-18) is available")}Before you enable "User Encryption", make sure that the OpenSSL (Tiki18+) / Mcrypt (Tiki pre-18) PHP extension is available. It is required to encrypt the passwords securely.{REMARKSBOX}

{img type="src" src="display945" link="display945" width="500" styleimage="border" align="center" desc="Click to expand"}

The names of the password domains must be unique.

!!! Specifying domain credentials
The module "Domain Password" allows users to specify a password (and possibly a username) for a domain. Only defined password domains can be specified.

{img src="display946" link="display946" styleimage="border"}

By default the currently logged in Tiki username will be used. By setting "Use current user" = "n", the user must also specify a username. 

The view mode is displayed initially. The user can choose to edit the credentials, if the module configuration allows it.
{img type="src" src="display947" link="display947"  styleimage="border" }

If the password domain is misconfigured, an error message is displayed.
{img src="display949" link="display949"    styleimage="border"}

If the user click edit, the credentials can be edited.
If the current Tiki user is being used, only the password can be edited.
{img type="src" src="display948" link="display948"   styleimage="border"  }

!! Code integration
See [http://dev.tiki.org/User+Encryption|User Encryption @ dev.tiki.org]