Starting with Resilio Connect v3.6.0, it's possible to configure advanced security for MC and Agents installations.
Basically, the following is available:
1. Increased security of TLS connection between agents using ATA-token (Agent-to-Agent token)
2. MC can encrypt sensitive data in its database
3. Agents encrypt sensitive data in their settings file
4. Limitations and peculiarities
Increased security of TLS connection between agents using ATA-token (Agent-to-Agent tokens)
Management Console sends a token to the Agents, using which Agents additionally secure the connection between each other - tokens add additional time-dependent layer of security into all agent-to-agent communications. Each job has a unique token. These tokens are automatically rotated by MC and have some expiration and overlapping lifetime. Minimal token rotation value cannot be lower than 5 minutes, maximum token overlap value cannot be higher than24 hours; configuration is available from MC general settings.
There are three modes for ATA tokens available in Job's Profiles:
- compatibility. It's used to provide smooth update from pre-3.6 Connect versions. Management Console picks "Compatibility mode" by default after upgrading to 3.6+. This mode only enables ATA tokens automatically when all Agents in a job are updated to v3.6+.
- enforced. Management Console uses this mode by default on all fresh 3.6+ installations. ATA tokens are enforced for all Agents on MC. Obviously, Agents of older versions do not support this mode and connection with them will not be possible. They will remain connected to MC, but not to other Agents in the job.
- disabled. Completely disables usage of ATA tokens if extra security is not required or is not applicable to one's use case.
ATA token expiration and overlap intervals are configured in the MC Advanced settings. Key token lifetime must always be higher than double value of Key token overlap. Otherwise behavior is undefined and leads to Agent's instability.
For ATA tokens to work, Agent profiles must have the following Tunnel chipers: “DHE-PSK-AES128-GCM-SHA256;DHE-PSK-AES256-GCM-SHA384”. If only SRP cipher is configured, Agents won't connect to each other, even if all Agents are updated to v3.6.x and/or token policy is in 'compatibility' mode.
Connection between Agent will also fail if the token expires and the Agent does not receive new one from MC for a reason. It is recommended to increase token lifetime if your setup implies that Agents may connectivity to Management Console for a long time. At the same time it's highly not advisable to set token ttl lower than 5 minutes to avoid connection timeout errors.
The Resilio Management Console can encrypt sensitive data in its database
By default encryption of sensitive data is disabled. To enable it stop the Management Console, and add the following system environment variable with some password as a value:
- Windows: go to system settings -> Environment Variables - > System Variables and create a new variable with name RESILIO_MPASSWD and set some password string as value.
- Linux: you can set environment variable directly in srvctrl startup script or in your .service file.
This password will be used for encryption and cannot be changed later. There are no requirements to length and complexity of this string from Resilio’s side.
The data is encrypted/decrypted with an aes256 key derived from the mentioned password in environment variable. The password must not be changed later, otherwise MC won't be able to decrypt the data.
Some more details about it here.
Backup your password
Warning: If the password is lost for any reason (like due to migration or accidental deletion) - your Management Console will not be able to start and there will be no way to recover it. The Management Console will record the failed decryption in the common.log file. Please make sure to backup your password using whatever system your company already offers for safe keeping of encryption password. Example would be 1password or other password management systems.The Management Console encrypts the following information with a key stored in the database.
- Bootstrap tokens
- API tokens
- SMTP, LDAP, Azure AD, ID Anywhere configuration
- Emails in notification center
- Object storage connectors data
- Webhooks data
- Management Console users
- Secrets for jobs / transfers
- Password hash and salt in acl_passwords table
Agents encrypt sensitive data in their settings file
The Resilio Agents will encrypt sensitive data by default either right after the upgrade or during a clean installation.
The agent encrypts the data with aes256cbc
key and uses local available means to store the encryption key. Note, if hardware or TPM(Trusted Platform Module) encryption means are used together with environment variables encryption, the latter will take precedence of others:
- Data protection API for Windows machines
- Mac Keychain for Mac computers
- TPM tools for Linux and Linux based machines
- Hardware ID for all the rest of cases where above is not available (like NAS devices)
- System environment variable RESILIO_KEY and set some password string as value (must be used on a VM, Docker containers or servers where none of the above is expected to exist or is randomized)
If the Agent cannot decrypt sensitive data for any reason (for example - machine migration, cloning, etc.) it will show a decryption error in Agent UI and will request approval on Management Console. The Agent will retain all the configured jobs and their state, but won't manage to participate in those jobs till admin approves the agent.
Agent encrypts the following information:
- Job keys
- Cloud access keys
- Management Console authorization token (individual for each agent)
Some more details about it here.
Limitations and peculiarities
1. With enabled encryption migrating the Management Console and/or Agents to a different server is not supported unless environment variable is used and the key is also migrated to the new server. Otherwise, the encrypted data won't be decrypted on the new hardware.
2. With enable encryption performance may decrease.
3. Docker containers only support environment variable as encryption means.