2. Configuration


A change in settings (with the excpetion of database changes) will not result in decryption and re-encryption of data, only to apply the changes. Instead, the changes are applied when new data is encrypted, or old data is modified - thereby slowly phasing out the old configuration. For example, when changing password hash iterations, the change takes effect when the user resets their password.

Any database changes will result in Krptn assuming that all data has been migrated to the new database and is ready to use. Krptn will stop using the old database but will finish any started user operations in there.

Simple, pythonic configuration:

 1import krypton
 3krypton.configs.defaultAlgorithm = "AES256GCM" # Sets which symmetric cipher to use in the KMS and Crypto Class(currently only AES256GCM is supported)
 5krypton.configs.defaultIterations = 500000 # Number of iterations for PBKDF2
 7krypton.configs.defaultPasswordResetIteration = 800000 # Number of iterations to use with PBKDF2 for password recovery codes.
 8# This iteration count should be larger then the other one since password recovery codes are more suspectable to brute-force.
10krypton.configs.defaultCryptoperiod = 2 # Approx. number of years for the cryptoperiod of a key
12krypton.configs.defaultSessionPeriod = 15 # Number of minutes before a user Session is destroyed.

2.1. Databases

For the following settings please see Databases

1krypton.configs.SQLDefaultCryptoDBpath = # for DB used by Crypto Class
2krypton.configs.SQLDefaultKeyDBpath =  # for DB used by Key Management System (you most likely don't need this)
3krypton.configs.SQLDefaultUserDBpath = # for DB used by User Authentication System

2.2. FIDO Auth & MFA

These configuration options must be set for FIDO (passwordless Auth), and TOTP (time-based one-time passwords) to work.

1## For both TOTP and FIDO
2krypton.configs.APP_NAME = "ExampleApp" # name of your app
4## The below are only needed for FIDO
5krypton.configs.HOST_NAME = "example.com" # hostname, as seen by the user's browser
6krypton.configs.ORIGIN = "https://example.com/" # again, as seen by the user's browser