Authelia, a robust authentication and authorization server, is a cornerstone in securing applications with features like multi-factor authentication. One crucial aspect of Authelia's security is managing the encryption key used to secure data in its database. In this post, we'll explore the process of changing the encryption key in Authelia to enhance the security of your deployment.
Default Encryption Key
Out of the box, Authelia comes with a default encryption key in its configuration file:
However, for maximum security, it is recommended to change this default encryption key to a strong and unique value.
Error After Changing the Encryption Key
Changing the encryption key in the configuration file and restarting Authelia will lead to an error if the key isn't synchronized with the database:
Failure running the storage provider startup check: the configured encryption key does not appear to be valid for this database which may occur if the encryption key was changed in the configuration without using the cli to change it in the database
I checked it in /var/log/authelia.log
Resolution: Changing Encryption Key via CLI
If you have already done incorrectly and got this error, rollback the change by setting the old password and restarting again authelia service.
To change the encryption key successfully, Authelia provides a command-line interface (CLI) command. Here's a step-by-step guide:
1. Generate a New Encryption Key
Generate a new, secure encryption key. You can use tools like
openssl or online key generators to create a random string with sufficient entropy.
2. Change the Encryption Key via CLI
Adapt the command to your path and generate key
authelia storage encryption change-key --config /etc/authelia/configuration.yml --new-encryption-key <your_newly_generated_encryption_key>
# authelia storage encryption change-key --config /etc/authelia/configuration.yml --new-encryption-key qh2zobpfwj4il0b32q935257o8v30ipza1g3tinhd0prarff5ce5b4k6usxtqsdr
Completed the encryption key change. Please adjust your configuration to use the new key.
This command updates it in the Authelia database, so you also have to change it in the configuration file:
3. Restart Authelia
service authelia restart
To ensure, you can check the logs to confirm the database is accessed correctly:
time="2024-01-04T18:50:57+01:00" level=info msg="Storage schema is being checked for updates"
time="2024-01-04T18:50:57+01:00" level=info msg="Storage schema is already up to date"
Changing the encryption key is a crucial step in maintaining the security of your Authelia deployment. Following the recommended steps, including using the CLI to synchronize the key with the database, ensures a smooth transition without disruptions.
Remember to generate a strong and unique encryption key and to perform this operation during a maintenance window to minimize impact.