From 289515e6b8e459c66e2fac1d4e7efe3c728dbe12 Mon Sep 17 00:00:00 2001 From: Mathijs van Veluw Date: Fri, 3 Mar 2023 13:20:29 +0100 Subject: [PATCH] Updated Enabling admin page (markdown) --- Enabling-admin-page.md | 60 +++++++++++++++++++++++++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/Enabling-admin-page.md b/Enabling-admin-page.md index dd3b788..9abf18c 100644 --- a/Enabling-admin-page.md +++ b/Enabling-admin-page.md @@ -23,4 +23,62 @@ Note that config changes in the admin page do not take effect until you click th **Note:** After changing the `ADMIN_TOKEN`, the currently logged in admins will still be able to use their old login token for [up to 20 minutes](https://github.com/dani-garcia/vaultwarden/blob/main/src/api/admin.rs#L183). -**Note:** Removing the environment variable `ADMIN_TOKEN` won't disable the admin page if the value is persisted in the `config.json` file mentioned above. **To disable admin page**, make sure no `ADMIN_TOKEN` environment variable is set, and no `"admin_token"` key exists in `config.json`, if that file exists. \ No newline at end of file +**Note:** Removing the environment variable `ADMIN_TOKEN` won't disable the admin page if the value is persisted in the `config.json` file mentioned above. **To disable admin page**, make sure no `ADMIN_TOKEN` environment variable is set, and no `"admin_token"` key exists in `config.json`, if that file exists. + +
+ +## Secure the `ADMIN_TOKEN` + +> :warning: This feature not yet released, but will be soon! + +Previously the `ADMIN_TOKEN` could only be in a plain text format.
+You can now hash the `ADMIN_TOKEN` using Argon2 by generating a PHC string.
+This can be generated by using a built-in `hash` command within Vaultwarden, or use the `argon2` CLI tool.
+Within the vaultwarden application we have two presets, one using the [Bitwarden defaults](https://github.com/bitwarden/clients/blob/04d1fbb716bc7676c60a009906e183bb3cbb6047/libs/common/src/enums/kdfType.ts#L8-L10), and one using the [OWASP recommendations](https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id). + +Some examples on how to generate an Argon2id PHC hash. + +Examples: + +There is a PHC generator built-in into Vaultwarden which you can run via the CLI `vaultwarden hash`.
+This can be done via `docker exec` on the already running instance, or by running this locally via docker on your own system.
+I use `vwcontainer` as the container name below, replace this with the correct container name of your instance.
+The Vaultwarden CLI will ask for the password twice, and if both are the same it will output the generated PHC string. + +Examples: + +```bash +# Using the Bitwarden defaults (default preset) +# Via docker on a running container +docker exec -it vwcontainer /vaultwarden hash + +# Via docker and creating a temporary container +docker run --rm -it vaultwarden/server /vaultwarden hash + +# Using the vaultwarden binary directly +./vaultwarden hash + +# Using the OWASP minimum recommended settings +# Via docker on a running container +docker exec -it vwcontainer /vaultwarden hash --preset owasp + +# Via docker and creating a temporary container +docker run --rm -it vaultwarden/server /vaultwarden hash --preset owasp + +# Using the vaultwarden binary directly +./vaultwarden hash --preset owasp +``` + +
+ +You can also use the `argon2` CLI available on most Linux Distro's. + +```bash +# Using the Bitwarden defaults +echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 65540 -t 3 -p 4 ; echo +# Output: $argon2id$v=19$m=65540,t=3,p=4$bXBGMENBZUVzT3VUSFErTzQzK25Jck1BN2Z0amFuWjdSdVlIQVZqYzAzYz0$T9m73OdD2mz9+aJKLuOAdbvoARdaKxtOZ+jZcSL9/N0 + +# Using the OWASP minimum recommended settings +echo -n "MySecretPassword" | argon2 "$(openssl rand -base64 32)" -e -id -k 19456 -t 2 -p 1 ; echo +# Output: $argon2id$v=19$m=19456,t=2,p=1$cXpKdUxHSWhlaUs1QVVsSStkbTRPQVFPSmdpamFCMHdvYjVkWTVKaDdpYz0$E1UgBKjUCD2Roy0jdHAJvXihugpG+N9WcAaR8P6Qn/8 +```