Password Safe

Artur Fischer

1. Why do you need this module in IP-Symcon?

By default, IP-Symcon stores variable contents and instance configuration values in the file settings.json (and therefore also in backups). This leads to typical risks:

  • Plaintext storage: Passwords/tokens can end up in configuration or variables in clear text.
  • Unsafe backups: Backups contain configurations—anyone with access may be able to extract secrets.
  • Visibility: Admins/users with Management Console access can view contents.
  • Distributed systems: Multiple Symcon instances otherwise require manual secret maintenance.

2. How are these issues solved?

SymconSecrets follows a “zero-knowledge” concept:

  • Encryption (AES-128-GCM): Secrets are stored in IP-Symcon only as an encrypted blob (Vault).
  • Key isolation: The decryption key is not stored in Symcon. It is stored as master.key on the OS file system (e.g., in a protected directory).
  • Stateless editor: The editor works without saving intermediate values in instance properties. Data is only shown/edited in RAM and is only persisted after “Encrypt & Save” (encrypted).
  • Additional system secrets moved out: Secrets that would typically be stored in properties (e.g., sync token, webhook password, per-slave basic-auth passwords) are stored encrypted in a separate file system.vault (also AES-GCM).

Result: No passwords/tokens in settings.json, as long as you use the intended “Save … (encrypted)” buttons.

Included Modules

  • CredentialStore, PasswordSafe

Version History

  • Stateless / zero-cleartext enforced: No secrets are stored in module properties anymore (so nothing ends up in plaintext in settings.json or backups). Inputs are handled only in UI/RAM and are only persisted after being encrypted.

  • New encrypted system storage (system.vault):
    Sync token, the slave WebHook password, and per-slave Basic Auth passwords (stored on the master) are saved encrypted in system.vault (in addition to the main encrypted Vault).

  • Master/Slave UI cleaned up:
    Token generate/show is Master-only. Slaves only enter + save encrypted. Visibility logic in GetConfigurationForm() was adjusted accordingly.

  • Per-slave security settings added:
    In the slave list, each slave now has Server label, TLS mode (http/strict/pinned), key provisioning (manual/sync), and optional pinned fingerprint.

  • Per-slave Basic Auth password editor on Master:
    Separate panel with “Server — URL” selection; password is stored encrypted. The dropdown options are built dynamically from SlaveURLs.

  • Key transport is optional + guarded:
    The key can optionally be sent in the sync payload (if configured), but only under safe conditions (e.g., never over plain HTTP).

  • Key rotation prepared:
    UI support for Rotate Encryption Key (visible on Master/Standalone) was added as the basis for the rotation workflow.

To Documentation

Author: Artur Fischer

IP-Symcon >= 6.0

Version: 4.0

In Categories:

Any questions?