2.10. Security Modules

Note

For a normal installation this section can be safely ignored.

privacyIDEA provides a security module that takes care of

• encrypting the token seeds,
• encrypting passwords from the configuration like the LDAP password,
• creating random numbers,
• and hashing values.

Note

The Security Module concept can also be used to add a Hardware Security Module to perform the above mentioned tasks.

The default security module is implemented with the operating systems capabilities. The encryption key is located in a file enckey specified via PI_ENCFILE in the configuration file (The Config File).

This enckey contains three 32byte keys and is thus 96 bytes. This file has to be protected. So the access rights to this file are set accordingly.

In addition you can encrypt this encryption key with an additional password. In this case, you need to enter the password each time the privacyIDEA server is restarted and the password for decrypting the enckey is kept in memory.

The pi-manage Script contains the instruction how to encrypt the enckey

After starting the server, you can check, if the encryption key is accessible. To do so run:

privacyidea -U <yourserver> --admin=<youradmin> securitymodule

The output will contain "is_ready": True to signal that the encryption key is operational.

If it is not yet operational, you need to pass the password to the privacyIDEA server to decrypt the encryption key. To do so run:

privacyidea -U <yourserver> --admin=<youradmin> securitymodule  \
--module=default

Note

If the security module is not operational yet, you might get an error message “HSM not ready.”.