Authelia, a robust authentication and authorization server, is a cornerstone in securing applications with features like multi-factor authentication. One crucial aspect of Authelia's security is managing the encryption key used to secure data in its database. In this post, we'll explore the process of changing the encryption key in Authelia to enhance the security of your deployment.

Default Encryption Key

Out of the box, Authelia comes with a default encryption key in its configuration file:

storage:
  encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this

However, for maximum security, it is recommended to change this default encryption key to a strong and unique value.

Error After Changing the Encryption Key

Changing the encryption key in the configuration file and restarting Authelia will lead to an error if the key isn't synchronized with the database:

Failure running the storage provider startup check: the configured encryption key does not appear to be valid for this database which may occur if the encryption key was changed in the configuration without using the cli to change it in the database

I checked it in /var/log/authelia.log

Resolution: Changing Encryption Key via CLI

If you have already done incorrectly and got this error, rollback the change by setting the old password and restarting again authelia service.

To change the encryption key successfully, Authelia provides a command-line interface (CLI) command. Here's a step-by-step guide:

1. Generate a New Encryption Key

Generate a new, secure encryption key. You can use tools like openssl or online key generators to create a random string with sufficient entropy.

2. Change the Encryption Key via CLI

Adapt the command to your path and generate key

authelia storage encryption change-key --config /etc/authelia/configuration.yml --new-encryption-key <your_newly_generated_encryption_key>

For example:

# authelia storage encryption change-key --config /etc/authelia/configuration.yml --new-encryption-key qh2zobpfwj4il0b32q935257o8v30ipza1g3tinhd0prarff5ce5b4k6usxtqsdr

Completed the encryption key change. Please adjust your configuration to use the new key.

This command updates it in the Authelia database, so you also have to change it in the configuration file:

storage:
  encryption_key: <your_newly_generate_encryption_key>

3. Restart Authelia

service authelia restart

To ensure, you can check the logs to confirm the database is accessed correctly:

time="2024-01-04T18:50:57+01:00" level=info msg="Storage schema is being checked for updates"
time="2024-01-04T18:50:57+01:00" level=info msg="Storage schema is already up to date"

Conclusion

Changing the encryption key is a crucial step in maintaining the security of your Authelia deployment. Following the recommended steps, including using the CLI to synchronize the key with the database, ensures a smooth transition without disruptions.

Remember to generate a strong and unique encryption key and to perform this operation during a maintenance window to minimize impact.