Encryption
- 28 Nov 2023
- 1 minute to read
Encryption
- Updated on 28 Nov 2023
- 1 minute to read
Article Summary
Share feedback
Thanks for sharing your feedback!
Totara handles a number of 'secrets', such as passwords, client IDs/secrets, keys, device access tokens and more, which are used for functions such as authenticating or communicating with external services. These are stored encrypted in the database.
See the developer documentation on encrypted attributes for more information.
The only data that is encrypted in the database via this method are tokens and service passwords. No personally identifiable information or anything else unrecoverable is stored.
| Feature | What we encrypt |
|---|---|
SSO SAML (2.0) authentication plugin | The certificates used by each connection. |
TOTP multi-factor authentication | The secret stored for each individual user. |
Encryption keys
Encryption keys are stored in the encryption_keys.json file inside your dataroot folder. If the file does not exist on install or upgrade, a new one will be created with a default key. This file will be required to read any encrypted data stored in the database. If the key is not present the data cannot be read.
When backing up the site, these keys should also be backed up.
Adding new keys
If you would like to add a new key, you can run the script php admin/cli/add_encryption_key.php from the command line.
Call php admin/cli/add_encryption_key.php --help to see all available options.
Updating existing records
When a new key is added, the existing records will still use the old keys until they are saved again. To force all records to be updated to use the latest key, use the script php admin/cli/update_encrypted_models.php.
Call php admin/cli/update_encrypted_models.php --help to see all available options. You can either update records immediately, or queue them up to be updated the next time cron runs.
© Copyright 2024 Totara Learning Solutions. All rights reserved.
Was this article helpful?
