Dear Heikki Thanks for your answer and confirming it cannot be done inside Radiator.
I will look into proprietary DB functions, first of all PostgreSQLs pgcrypto package with functions like pgp_sym_decrypt(). Actually I prefer the decryption key to be stored on the Radiator machine rather than inside the database. If the decryption key would be stored at the same place like the encrypted secrets it would not be a security advantage. Best regards, Tobias > > Date: Mon, 18 Sep 2023 18:00:42 +0300 > From: Heikki Vatiainen <[email protected]> > To: [email protected] > Subject: Re: [RADIATOR] AuthBy SQLTOTP with encrypted secrets > (RcryptKey) > Message-ID: <[email protected]> > Content-Type: text/plain; charset=UTF-8; format=flowed > > On 12.9.2023 15.21, Schnurrenberger Tobias (ID) via radiator wrote: > >> Is it somehow possible to store the shared secret in the SQL database in >> Rcrypt encrypted format and tell radiator to decrypt it whit the given key? >> I could not find such configuration options in the docs. >> Could it be done e.g. with a hook? > > Hello Tobias, > > currently this is not possible. There's no hook or other transformation > possibility for the shared secret. > > One option you could consider is encrypting the CB column that holds the > shared secret. I think it's even possible to create a view, or function, > that decrypts the value when Radiator selects it from the DB. This could > be used to hide the encryption/decryption key completely from Radiator > configuration because the transformation is done on the DB side. > > >> We are using radiator version 4.27-1 with this config snippet: > >> AuthSelect SELECT base32_decode_to_hex(secret), active, pin, digits, >> bad_logins, accessed, last_timestep, algorithm, timestep, timestep_origin >> from RADIUS_TOTP_KEYS WHERE username=? > > If base32_decode_to_hex() is already a local function you have created, > then adding something similar for decrypting the value during the select > might be worth experimenting with. > > Thanks, > Heikki > > -- > Heikki Vatiainen > OSC, makers of Radiator > Visit radiatorsoftware.com for Radiator AAA server software > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > radiator mailing list > [email protected] > https://lists.open.com.au/mailman/listinfo/radiator > > ------------------------------ > > End of radiator Digest, Vol 171, Issue 9 > ****************************************
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ radiator mailing list [email protected] https://lists.open.com.au/mailman/listinfo/radiator
