From b311fa355052e46dd3a7050f5d535870dfa7d9a8 Mon Sep 17 00:00:00 2001 From: Stefan Melmuk <509385+stefan0xC@users.noreply.github.com> Date: Thu, 7 Mar 2024 23:27:51 +0100 Subject: [PATCH] explain additional consequences of deleting the rsa key files --- Backing-up-your-vault.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Backing-up-your-vault.md b/Backing-up-your-vault.md index c529f8e..1fa6f9b 100644 --- a/Backing-up-your-vault.md +++ b/Backing-up-your-vault.md @@ -80,7 +80,7 @@ Keep in mind that this file does contain some data in plaintext that could be co _**Backup recommended.**_ -These files are used to sign the JWTs (authentication tokens) of users currently logged in. Deleting them would simply log out each user, forcing them to log in again. +These files are used to sign the JWTs (authentication tokens) of users currently logged in. Deleting them would simply log out each user, forcing them to log in again and it would also invalidate any open invitation tokens that have been sent via mail. The `rsa_key.pem` (private key) file could be considered somewhat sensitive. In principle, it could be used to forge vault login sessions to your server, though in practice, doing so would require additional knowledge of various UUIDs (e.g., taken from a copy of your database). Also, any data obtained with a forged session would still be encrypted with personal and/or organization keys, so brute-forcing the relevant master password in order to obtain those keys would still be required. Admin panel login sessions, however, could be forged easily (this would only work if the admin panel is enabled). This wouldn't provide access to vault data, but it would allow some administrative actions like deleting users or removing 2FA.