VW Update 1.12.0 - Argon2: Should I apply the update?
-
@nebulon said in Vaultwarden - Package Updates:
Added support for Argon2 key derivation on the clients. To enable it for your account, make sure all your clients are using version v2023.2.0 or greater, then go to account settings > security > keys, and change the algorithm from PBKDF2 to Argon2id.
Added support for Argon2 key derivation for the admin page token. To update your admin token to use it, check the wiki
I read a post on Reddit about Argon2 vs PBKDF2 and most of it flew over my head, but what was clear is that Argon2 is much harder/costlier to crack which brings me to real issue here.
-
What exactly do I need to do to get this set up properly?
-
What iteration value is "strong" enough for an aging home server (i5-6500T; 4 cores & 8 GB RAM)?
@humptydumpty You should first do a backup/export of your vault. Check if you have attachments used in your records, because attachments are not exported!
Then all you need to do is to login as user to your web vault and change the crypto in the settings.
As the crypto stuff is done by the client, and not the server, the server specs does not matter. Make sure that all Apps and Plugins you use with you vault do support Agon! And there is some limitation in iOS for autofill mentioned somewhere in the vaultwarden guide. I would keep them from default settings as its already better than recommended.
-
-
@humptydumpty You should first do a backup/export of your vault. Check if you have attachments used in your records, because attachments are not exported!
Then all you need to do is to login as user to your web vault and change the crypto in the settings.
As the crypto stuff is done by the client, and not the server, the server specs does not matter. Make sure that all Apps and Plugins you use with you vault do support Agon! And there is some limitation in iOS for autofill mentioned somewhere in the vaultwarden guide. I would keep them from default settings as its already better than recommended.
@Kubernetes TYVM!
-
It looks like I can only export my own vault and the organization I'm associated with from the admin page. Other users need to export their own vault. Anyway, I created a new backup, and it looks like I can download a copy of the backup now, not just the configuration file. Cool stuff.
-
@humptydumpty You should first do a backup/export of your vault. Check if you have attachments used in your records, because attachments are not exported!
Then all you need to do is to login as user to your web vault and change the crypto in the settings.
As the crypto stuff is done by the client, and not the server, the server specs does not matter. Make sure that all Apps and Plugins you use with you vault do support Agon! And there is some limitation in iOS for autofill mentioned somewhere in the vaultwarden guide. I would keep them from default settings as its already better than recommended.
@Kubernetes I changed my vault encryption to Argon2id, and now I'm trying to hash the admin token. According to this VW GitHub page, I can use a command in docker (which I assume Cloudron's terminal would work here) and it will hash the admin key.
# Using the Bitwarden defaults (default preset) # Via docker on a running container docker exec -it vwcontainer /vaultwarden hashThe part where it says "hash", am I supposed to replace it with a string of characters or leave as-is?
-
@Kubernetes I changed my vault encryption to Argon2id, and now I'm trying to hash the admin token. According to this VW GitHub page, I can use a command in docker (which I assume Cloudron's terminal would work here) and it will hash the admin key.
# Using the Bitwarden defaults (default preset) # Via docker on a running container docker exec -it vwcontainer /vaultwarden hashThe part where it says "hash", am I supposed to replace it with a string of characters or leave as-is?
@humptydumpty Yes, it is in the Cloudron's Terminal of the Vaultwarden App. You just need to execute it with ./vaultwarden hash... (without docker exec). I think I did "vaultwarden hash argon2" and then it was asking for a password (twice). I entered my existing admin token and it generated a command that should be put into docker-compose file. As we don't use docker-compose in the same way, you have to edit with the fileeditor of your App the config file and put everything from the string output to the admin_token value pair.
example:
before any changes:
"admin_token": "123456",after you generated the new admin token:
"admin_token": "$argon2id$v=19$m=65540,t=3,p=4$abcdef",Be carefull with that change as you might lock you out of admin panel if you do something wrong.
-
@humptydumpty Yes, it is in the Cloudron's Terminal of the Vaultwarden App. You just need to execute it with ./vaultwarden hash... (without docker exec). I think I did "vaultwarden hash argon2" and then it was asking for a password (twice). I entered my existing admin token and it generated a command that should be put into docker-compose file. As we don't use docker-compose in the same way, you have to edit with the fileeditor of your App the config file and put everything from the string output to the admin_token value pair.
example:
before any changes:
"admin_token": "123456",after you generated the new admin token:
"admin_token": "$argon2id$v=19$m=65540,t=3,p=4$abcdef",Be carefull with that change as you might lock you out of admin panel if you do something wrong.
@Kubernetes Oh shoot, that's a tricky process. I'll do it when I got a clear mind.
As for the regular Argon2id update, it's working fine on my PC's but on iOS (A12 Bionic), I kept getting a parse error. Logging out of the account didn't fix it but completely deleting the app and reinstalling worked like a charm.
I did change the values from the defaults for my vault, so maybe that had something to do with the error, but I'm running these successfully now:
- memory is still at default of 64 MB
- iterations value of 4
- parallelism value of 8 (formula is CPU cores * 2; weakest CPU I have has 4 cores)
-
@Kubernetes Oh shoot, that's a tricky process. I'll do it when I got a clear mind.
As for the regular Argon2id update, it's working fine on my PC's but on iOS (A12 Bionic), I kept getting a parse error. Logging out of the account didn't fix it but completely deleting the app and reinstalling worked like a charm.
I did change the values from the defaults for my vault, so maybe that had something to do with the error, but I'm running these successfully now:
- memory is still at default of 64 MB
- iterations value of 4
- parallelism value of 8 (formula is CPU cores * 2; weakest CPU I have has 4 cores)
@humptydumpty said in VW Update 1.12.0 - Argon2: Should I apply the update?:
memory is still at default of 64 MB
Really!? Mine is at 3.75GB, but I also have over 4000 records in it.
A life lived in fear is a life half-lived
-
@humptydumpty said in VW Update 1.12.0 - Argon2: Should I apply the update?:
memory is still at default of 64 MB
Really!? Mine is at 3.75GB, but I also have over 4000 records in it.
-
@scooke He is talking about the KDF config, not about system RAM
@Kubernetes yep
here's a screenshot for reference
-
@humptydumpty said in VW Update 1.12.0 - Argon2: Should I apply the update?:
memory is still at default of 64 MB
Really!? Mine is at 3.75GB, but I also have over 4000 records in it.
@scooke said in VW Update 1.12.0 - Argon2: Should I apply the update?:
but I also have over 4000 records in it.
I forgot to ask you, do you feel it takes extra time to load the vault logins when having that many records?
