diff options
author | BlackDex <[email protected]> | 2023-02-28 23:09:51 +0100 |
---|---|---|
committer | BlackDex <[email protected]> | 2023-03-04 16:15:30 +0100 |
commit | de157b26543172fe48aa44af578e229b1db65475 (patch) | |
tree | 0344a62b1cee699842c02195840aaebed966f51f /.env.template | |
parent | 337cbfaf22ee28316ea09e859be0527416fe7da5 (diff) | |
download | vaultwarden-de157b26543172fe48aa44af578e229b1db65475.tar.gz vaultwarden-de157b26543172fe48aa44af578e229b1db65475.zip |
Admin token Argon2 hashing support
Added support for Argon2 hashing support for the `ADMIN_TOKEN` instead
of only supporting a plain text string.
The hash must be a PHC string which can be generated via the `argon2`
CLI **or** via the also built-in hash command in Vaultwarden.
You can simply run `vaultwarden hash` to generate a hash based upon a
password the user provides them self.
Added a warning during startup and within the admin settings panel is
the `ADMIN_TOKEN` is not an Argon2 hash.
Within the admin environment a user can ignore that warning and it will
not be shown for at least 30 days. After that the warning will appear
again unless the `ADMIN_TOKEN` has be converted to an Argon2 hash.
I have also tested this on my RaspberryPi 2b and there the `Bitwarden`
preset takes almost 4.5 seconds to generate/verify the Argon2 hash.
Using the `OWASP` preset it is below 1 second, which I think should be
fine for low-graded hardware. If it is needed people could use lower
memory settings, but in those cases I even doubt Vaultwarden it self
would run. They can always use the `argon2` CLI and generate a faster hash.
Diffstat (limited to '.env.template')
-rw-r--r-- | .env.template | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/.env.template b/.env.template index 3c7e7d1e..9d6f75a1 100644 --- a/.env.template +++ b/.env.template @@ -259,9 +259,13 @@ ## A comma-separated list means only those users can create orgs: -## Token for the admin interface, preferably use a long random string -## One option is to use 'openssl rand -base64 48' +## Token for the admin interface, preferably an Argon2 PCH string +## Vaultwarden has a built-in generator by calling `vaultwarden hash` +## For details see: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token ## If not set, the admin panel is disabled +## New Argon2 PHC string +# ADMIN_TOKEN='$argon2id$v=19$m=65540,t=3,p=4$MmeKRnGK5RW5mJS7h3TOL89GrpLPXJPAtTK8FTqj9HM$DqsstvoSAETl9YhnsXbf43WeaUwJC6JhViIvuPoig78' +## Old plain text string (Will generate warnings in favor of Argon2) # ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp ## Enable this to bypass the admin panel security. This option is only |