Sysadmin Guide

Encryption


Encrypting mail passwords

User, agent and admin account passwords are secured storely in the Deskpro MySQL database using one-way hashing. This means that Deskpro doesn’t store the original passwords at all; even if a malicious attacker could inspect the database, they can’t recover the passwords.

However, the passwords for ticket/outgoing email accounts cannot be stored in this way; Deskpro needs access to the original password to retrieve mail from the server.

This means that if an attacker accessed your helpdesk’s MySQL database (or a backup), they could recover your email account credentials from the database.

To prevent this, you can choose to store an encrypted version of your email passwords. The encryption key will be stored within your Deskpro install directory in data/encryption-key.bin (and must stay there for email checking to work).

To enable encryption, go to Server > Encryption, confirm you have read the warnings, then click Generate Key File & Enable Encryption.

Warning

If you lose the encryption key file, you won’t be able to recover the mail passwords.

Warning

You must back up the key file in a secure manner. Remember, you need to back up all the files in the data folder as well as the MySQL database. If you store the encryption key with your database backups, there’s no gain in security.

Enabling this will not prevent an attacker who can access both the key file and the database from recovering the passwords.

Disabling password encryption

To disable encryption:

1. Create a file within your Deskpro install data directory called can-disable-encryption.txt. (The content of the file doesn’t matter; this step is to prove that you have direct filesystem access.)

  1. Go to Server > Encryption and click I have created the file.

Comments (0)

Add a comment

Add a comment

You need to log in before you can submit a comment.

Need a password reminder?