Hello,
I was wondering if you can tell me:
1. What the encryption private key is used for
- I assume that this is a hash used to store private information securely in the database
- it is difficult to tell as it is grouped with the ssl stuff
2. What happens if i change the key when a site is already live
- will existing data be broken
Thank you
Jason
Encryption Private Key
- 1
- 5
- 26.07.2009
- United States
It is not clear what value goes in the Encryption private key. I have enabled UseSSL in the web.config file and I can successfully login securely using Firefox. When I use IE7, I get a Certificate error. I a dedicated certificate installed. Any ideas why IE7 cannot see the cert? I am using nop 1.4
- 54
- 336
- 02.02.2010
- Austria
If you change the Encryption Private Key, then the admin password will not be valid.
To be able to login again, do the following:
- After changing the Encryption Key, DO NOT LOG OUT
- Go to Manage Customers, find your admin account, edit it, type new password in password field and press "Change Password"
If you already logged out, you can get new password over "Forgot password" form, but only if you set a real email for admin account before (instead of [email protected]).
Hope this helps someone.
To be able to login again, do the following:
- After changing the Encryption Key, DO NOT LOG OUT
- Go to Manage Customers, find your admin account, edit it, type new password in password field and press "Change Password"
If you already logged out, you can get new password over "Forgot password" form, but only if you set a real email for admin account before (instead of [email protected]).
Hope this helps someone.
- 714
- 9597
- 12.08.2009
- United States
bojan.hrnkas wrote:
Changing the encryption private key (via Administration > Configuration > Global Settings > Security tab) does not change the admin password. Changing the encryption private key results in the encrypted fields for existing orders being decrypted with the old key and encrypted with the new key and the setting "Security.EncryptionPrivateKey" being updated with the new key.
For version 1.50:
See file: Administration\Modules\GlobalSettings.ascx.cs (line #348, method btnChangeEncryptionPrivateKey_Click())
and file: Libraries\Nop.BusinessLogic\Security\SecurityHelper.cs (line #135, method ChangeEncryptionPrivateKey())
.
If you change the Encryption Private Key, then the admin password will not be valid.
To be able to login again, do the following:
- After changing the Encryption Key, DO NOT LOG OUT
- Go to Manage Customers, find your admin account, edit it, type new password in password field and press "Change Password"
If you already logged out, you can get new password over "Forgot password" form, but only if you set a real email for admin account before (instead of [email protected]).
Hope this helps someone.
To be able to login again, do the following:
- After changing the Encryption Key, DO NOT LOG OUT
- Go to Manage Customers, find your admin account, edit it, type new password in password field and press "Change Password"
If you already logged out, you can get new password over "Forgot password" form, but only if you set a real email for admin account before (instead of [email protected]).
Hope this helps someone.
Changing the encryption private key (via Administration > Configuration > Global Settings > Security tab) does not change the admin password. Changing the encryption private key results in the encrypted fields for existing orders being decrypted with the old key and encrypted with the new key and the setting "Security.EncryptionPrivateKey" being updated with the new key.
For version 1.50:
See file: Administration\Modules\GlobalSettings.ascx.cs (line #348, method btnChangeEncryptionPrivateKey_Click())
and file: Libraries\Nop.BusinessLogic\Security\SecurityHelper.cs (line #135, method ChangeEncryptionPrivateKey())
.
- 2
- 10
- 18.07.2010
- United States
Hi.
I've got a Shared SSL certificate through my Wild West Domains reseller account. The certificate is installed on my domain. nopCommerce requires an "Encyrption Key" input but I am unable to determine what my specific key is.
Does anyone know how I can determine what my specific encryption key is?
Is there a program or utility which does this?
Thanks for your help,
Pete
I've got a Shared SSL certificate through my Wild West Domains reseller account. The certificate is installed on my domain. nopCommerce requires an "Encyrption Key" input but I am unable to determine what my specific key is.
Does anyone know how I can determine what my specific encryption key is?
Is there a program or utility which does this?
Thanks for your help,
Pete
- 18
- 590
- 11.09.2010
- United States
Why is the key limited to 16 characters? This doesn't seem very secure. The key in my current ecommerce site is well over 2000 characters.
Never mind. This is how my host explained it, in case anyone else is curious:
3DES uses a 168 bit key (21 chars), but our security library takes that 2689 chars and then picks 3 predetermined sections (7 chars each) of that large key and passes them to the encryption algorithm. We designed it this way so that you would have to have our security library to apply the key to decrypt the data. Otherwise the key is useless if just left out in the open and you tried to apply it to decrypt the data on your own - you wouldn't know which 21 chars to use. The 16 chars from nop is a 128bit key, but still provides plenty of security in my opinion. I think it is something like one hundred years to flip every bit in a 128 bit key - and that doesn't include validating the key against the data to decrypt.
Never mind. This is how my host explained it, in case anyone else is curious:
3DES uses a 168 bit key (21 chars), but our security library takes that 2689 chars and then picks 3 predetermined sections (7 chars each) of that large key and passes them to the encryption algorithm. We designed it this way so that you would have to have our security library to apply the key to decrypt the data. Otherwise the key is useless if just left out in the open and you tried to apply it to decrypt the data on your own - you wouldn't know which 21 chars to use. The 16 chars from nop is a 128bit key, but still provides plenty of security in my opinion. I think it is something like one hundred years to flip every bit in a 128 bit key - and that doesn't include validating the key against the data to decrypt.