Encrypt user passwords

Hi Guys forgive me if this has been flagged already. So ive set up jitsi-meet and its all up and running. I have set up authentication on it, so users logging in will need a username and password which is great.

My question is, ive noticed that the usernames and passwords are contained here: /var/lib/prosody/whatevernameyouused/accounts/username.dat

These files are non encrypted currently. Im aware that for now they can only really be read by the root user as ACL’s are locked down to that user, but is there anyway to further encrypt these .dat files so that if someone did hack the server that there is another level of resistance?

i tried using gnupg (ive installed on an ubuntu server) however, when launching the internal nginx page jitsi is unable to read said configured file.

Once again im new to this and only just set up a server so apologies if im asking something stupid or redundant.

Many thanks

If you tried to encrypt the file, you’d need to write a mechanism for the server to decrypt it and read it. And if it can do that, there’s no real additional security.

Better, IMHO, would be to store a hash of the password, and then verify each attempt against the hash.

Hi Neil, thanks for the quick reply. I think i might be running more on the hashing side of things if anything. Since we have an abundance of time at home i think ive gots me some bedtime reading :wink:

https://prosody.im/doc/plain_or_hashed

1 Like

If someone gains root access those passwords will be the smallest problem you will have …

This has been the argument against password hashing since the beginning. And yet password hashing has become almost mandatory everywhere.

1 Like

How did you setup your jitsi-meet instance? You should be able to just switch to internal_hashed in prosody’s config.

Boris

Boris you beautiful man. So this is the first time setting everything up and so i used a tutorial that someone else posted about setting it up. Seems like in the prosody he just threw in internal_plain. I followed blindly (shame on me) and didnt click on till your message right now.

much appreciated sir. Many thanks for the help. This is exactly what i was looking for and appreciate the point in the right direction

No problem, I’m just making sure that our docs are up to date and not using ‘plain’ anymore (we had to update some of them). If you still see it referenced anywhere please let us know.

Boris