Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


By default, the Two Factor Authentication app encrypts the TOTP shared secret key in the database using AES .

Warning

Changing the encryption key will cause the current shared secrets to become invalid. There is no migration between keys and it is recommended for the Administrator to reset ALL user 2FA Configuration through the "2FA Users" administration screen.

...


Info

By default, most Java implementations restrict AES key length to 128 bytes in length. This can be modified by installing the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files at http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html (if available for your Jurisdiction).


By default, the Two Factor Authentication app encrypts the TOTP shared secret key in the database using a default AES 128 bit encryption key.  The default encryption key can be changed but the local administrator by placing a file in the home directory of the host application(Bitbucket Server) and naming it /wittified.2fa-encryption. The file should be contain the new encryption key (without any extra content). Once this is done, the app automatically starts to use the new encryption key. The key should be expressed in hexadecimal format and in appropriate length(16, 24, 32 pre-hex length). For example ways of generating new keys, see below.


Generate a new key

To generate a new key, you can execute the following command on linux:

Code Block
title128 bits
openssl rand 16 -hex


Code Block
title192 bits
openssl rand 24 -hex


Code Block
title256 bits
openssl rand 32 -hex