Tip of the day: Check out Special users on how to give trusted users/bots more rights without making them IRCOp.

Secret block

From UnrealIRCd documentation wiki
Jump to navigation Jump to search

The secret { } block is used to define passwords (or ways to retrieve them) for encrypted database storage.

You refer to these secrets block(s) from the ::db-secret configuration item of the modules that use it.

Modules that support encrypted database storage

The following modules support encrypted database storage and can be used to refer to secret { } blocks:

Password requirements

All passwords must conform to the following password complexity requirements:

  • must be 10 characters or longer
  • must contain at least one lowercase letter
  • must contain at least one uppercase letter
  • must contain at least one digit

Why the password needs to be known

By definition, the password (key) to encrypt and decrypt needs to be known somehow. It is impossible to encrypt/decrypt data if you don't have the correct key, as that is the whole point of encryption. This is not an UnrealIRCd limitation but true for any system that uses symmetric encryption like AES. There is no way around this.

You can put your password directly in the configuration file, but that provides only marginal security. You don't have to do this! UnrealIRCd provides multiple options for the secret blocks, including an option where you have to type the password and it is never stored in plaintext in any file. All options are explained below with their pros and cons. Just go through them and make a decision on what you find the most suitable option for your network.

Syntax & Examples

The password can be specified directly in the configuration file or fetched from elsewhere.

Each secret block has a name:

secret name-of-secret {

This name is referred to from other places in the configuration file.

You can use a single secret block and use that same secret block from multiple places (channeldb, tkldb, etc), OR you can have multiple secret blocks (one for each purpose). It's up to you to decide.

Directly in the configuration file

This is the easiest, but the least secure method:

secret channeldb {
        password "Somepassw0rd";

From an external file

This way you can store the password in a text file in a different place, eg on a different disk, USB stick, etc.. something that isn't stored or backed up altogether with the rest of your unrealircd data.

The file only needs to exist during booting UnrealIRCd, so you could for example connect an USB stick when booting UnrealIRCd and then pull it out once booted. You can rehash the IRCd without the file being needed.

secret channeldb {
        password-file "/home/xyz/secret.txt";

The file (secret.txt in this example) should then contain 1 single line with the password.

Entering on-boot in a terminal

This is the most secure method. It requires you to type the password every time UnrealIRCd is (re)started. After that, you can rehash the IRCd without having to re-enter the key.

The downside is that you can no longer start UnrealIRCd automatically via cron or automatic boot scripts. You will ALWAYS need to start UnrealIRCd manually on a terminal (eg via SSH).

secret channeldb {