2.1 Version

This version includes some improvements on the sysPass security by the following features:

  • It uses Defuse/php-encryption library for the data encryption with OpenSSL by using AES-256 CTR (CVE-2017-5999)
  • Improvements on the session keys security
  • API authorizations password
  • Improvements on the public links security
  • Failed log in attempts detection. A delay is set after several attempts

This upgrade requires to re-encrypt all the accounts and encrypted data, so the master password and a valid user login (for registering changes) will be needed.

Though it’s a safe process, it’s advisable to make a full sysPass backup.

Important Changes

Because the encryption data changes, the following items need to be regenerated:

  • Public links: the links are now an snapshot of the linked account, so if the account is updated, the link needs to be renewed.
  • API authorizations: As of this version, a password is needed for those authorizations that require encrypted data.
  • Temporary master password: it needs to be regenerated if it’s being used.

Process

For the sysPass updating the following steps are needed:

  1. Download the application from https://github.com/nuxsmin/sysPass/releases and uncompress the files
  2. Set the sysPass directory owner and permissions
  3. Copy the files (“config.xml”, “key.pem” y “pubkey.pem”) within the “config” directory from the current version to the new one
  4. Open the application from a web browser

If the application requires a database upgrade:

  1. Perform a database backup
  2. Enter the updating code which could be found in the “config/config.xml” file within the tag “upgradeKey”
  3. Please, enter the sysPass master password.
  4. Please, enter a valid user login

Note

During the upgrade, it will display the encryption tasks processes.

Note

After the updating, it will show a message and you could take a look to the updating details in the event log