2. Configuration

Note

A change in settings (with the excpetion of database changes) will not result in decryption and re-encryption of data, only to apply the changes. Instead, the changes are applied when new data is encrypted, or old data is modified - thereby slowly phasing out the old configuration. For example, when changing password hash iterations, the change takes effect when the user resets their password.

Any database changes will result in Krptn assuming that all data has been migrated to the new database and is ready to use. Krptn will stop using the old database but will finish any started user operations in there.

Simple, pythonic configuration:

 1import krypton
 2
 3krypton.configs.defaultAlgorithm = "AES256GCM" # Sets which symmetric cipher to use in the KMS and Crypto Class(currently only AES256GCM is supported)
 4
 5krypton.configs.defaultIterations = 600000 # Number of iterations for PBKDF2
 6
 7krypton.configs.defaultPasswordResetIteration = 650000 # Number of iterations to use with PBKDF2 for password recovery codes.
 8
 9krypton.configs.defaultCryptoperiod = 2 # Approx. number of years for the cryptoperiod of a key
10
11krypton.configs.defaultSessionPeriod = 15 # Number of minutes before a user Session is destroyed.
12
13krypton.configs.defaultLogRetentionPeriod = 43200 # Number of minutes to store login logs

Warning

When seting iteration counts for PBKDF2, make sure that it is not too low. A low value could make a brute-force attack against the encryption in the database easy, if it is leaked. However, note that a high value slows down your server. Depending on your needs, an appropriate value needs to be found.

For your information, as of 2023 January, OWASP recommended 600,000 iterations. NIST recommends a minimum of 1,000. For especially critical data, or for very powerful systems or systems where user-perceived performance is not critical, NIST states that 10,000,000 iterations may be appropriate.

2.1. Databases

For the following settings please see Databases

1krypton.configs.SQLDefaultCryptoDBpath = # for DB used by Crypto Class
2krypton.configs.SQLDefaultKeyDBpath =  # for DB used by Key Management System
3krypton.configs.SQLDefaultUserDBpath = # for DB used by User Authentication System

2.2. FIDO Auth & MFA

These configuration options must be set for FIDO (passwordless Auth), and TOTP (time-based one-time passwords) to work.

1## For both TOTP and FIDO
2krypton.configs.APP_NAME = "ExampleApp" # name of your app
3
4## The below are only needed for FIDO
5krypton.configs.HOST_NAME = "example.com" # hostname, as seen by the user's browser
6krypton.configs.ORIGIN = "https://example.com/" # again, as seen by the user's browser