On 12.9.2023 15.21, Schnurrenberger Tobias (ID) via radiator wrote:
Is it somehow possible to store the shared secret in the SQL database in Rcrypt
encrypted format and tell radiator to decrypt it whit the given key? I could
not find such configuration options in the docs.
Could it be done e.g. with a hook?
Hello Tobias,
currently this is not possible. There's no hook or other transformation
possibility for the shared secret.
One option you could consider is encrypting the CB column that holds the
shared secret. I think it's even possible to create a view, or function,
that decrypts the value when Radiator selects it from the DB. This could
be used to hide the encryption/decryption key completely from Radiator
configuration because the transformation is done on the DB side.
We are using radiator version 4.27-1 with this config snippet:
AuthSelect SELECT base32_decode_to_hex(secret), active, pin, digits,
bad_logins, accessed, last_timestep, algorithm, timestep, timestep_origin from
RADIUS_TOTP_KEYS WHERE username=?
If base32_decode_to_hex() is already a local function you have created,
then adding something similar for decrypting the value during the select
might be worth experimenting with.
Thanks,
Heikki
--
Heikki Vatiainen
OSC, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software
_______________________________________________
radiator mailing list
[email protected]
https://lists.open.com.au/mailman/listinfo/radiator
