Thank you, Galen, for your response—it was exactly what I needed! ________________________________ Von: Galen Charlton <g...@equinoxoli.org> Gesendet: Freitag, 6. Januar 2023 16:23 An: David Liddle <david.lid...@wycliff.de> Cc: koha@lists.katipo.co.nz <koha@lists.katipo.co.nz> Betreff: Re: [Koha] Encryption and Pseudonymization settings
Sie erhalten nicht oft eine E-Mail von g...@equinoxoli.org. Erfahren Sie, warum dies wichtig ist<https://aka.ms/LearnAboutSenderIdentification> Hi David, On Fri, Jan 6, 2023 at 5:58 PM David Liddle <david.lid...@wycliff.de<mailto:david.lid...@wycliff.de>> wrote: > <!-- This is the bcrypt settings used to generated anonymized content --> > <bcrypt_settings>__BCRYPT_SETTINGS__</bcrypt_settings> > > What form should the content of this line and these settings take? As mentioned in one of the comments in bug 28911, an appropriate value can be generated by the following command: htpasswd -bnBC 10 "" password | tr -d ':\n' | sed 's/$2y/$2a/' > Similarly, I would like to know what form the encryption key should take in > this section: > > <!-- Encryption key for crypted password or sensitive data --> > <encryption_key>__ENCRYPTION_KEY__</encryption_key> I believe this can be set to any high-entropy string suitable for a password or pass phrase. Per the Crypt::CBC documentation <https://metacpan.org/pod/Crypt::CBC<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmetacpan.org%2Fpod%2FCrypt%3A%3ACBC&data=05%7C01%7Cdavid.liddle%40wycliff.de%7Cec129049b6a64b3096a108daf03d2713%7C772715adef9944af8813312792f6de1c%7C0%7C0%7C638086442693352946%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aSkfZ%2Bl5OoE2wH5SV48esb%2FypTrYXnB0WxOha9jb0J4%3D&reserved=0>>, it's not literally an AES encryption key but is used to create one. > Are there any risks or drawbacks to enabling these settings on a live site? > (I'm executing them first on a QA server with a robust backup system, > but it helps to know what to expect.) It should be pretty safe. The pseudonymization feature is turned on via a system preference and largely affects reporting, although some care would be needed as you prune non-pseudonymized data. The encryption is currently only used by the optional 2FA feature. Regards, Galen -- Galen Charlton Implementation and IT Manager Equinox Open Library Initiative g...@equinoxoli.org https://www.equinoxOLI.org<https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.equinoxoli.org%2F&data=05%7C01%7Cdavid.liddle%40wycliff.de%7Cec129049b6a64b3096a108daf03d2713%7C772715adef9944af8813312792f6de1c%7C0%7C0%7C638086442693352946%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=83VNTWOYnoTd%2FkIbvqWGmO81XNLG8zGknB%2FoqP%2FC1rU%3D&reserved=0> phone: 877-OPEN-ILS (673-6457) direct: 770-709-5581 _______________________________________________ Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
