This version includes some improvements on the sysPass security by the following features:
- It uses Defuse/php-encryption library for the data encryption with OpenSSL by using AES-256 CTR (CVE-2017-5999)
- Improvements on the session keys security
- API authorizations password
- Improvements on the public links security
- Failed log in attempts detection. A delay is set after several attempts
This upgrade requires to re-encrypt all the accounts and encrypted data, so the master password and a valid user login (for registering changes) will be needed.
Though it’s a safe process, it’s advisable to make a full sysPass backup.
Because the encryption data changes, the following items need to be regenerated:
- Public links: the links are now an snapshot of the linked account, so if the account is updated, the link needs to be renewed.
- API authorizations: As of this version, a password is needed for those authorizations that require encrypted data.
- Temporary master password: it needs to be regenerated if it’s being used.
For the sysPass updating the following steps are needed:
- Download the application from https://github.com/nuxsmin/sysPass/releases and uncompress the files
- Set the sysPass directory owner and permissions
- Copy the files (“config.xml”, “key.pem” y “pubkey.pem”) within the “config” directory from the current version to the new one
- Open the application from a web browser
If the application requires a database upgrade:
- Perform a database backup
- Enter the updating code which could be found in the “config/config.xml” file within the tag “upgradeKey”
- Please, enter the sysPass master password.
- Please, enter a valid user login
During the upgrade, it will display the encryption tasks processes.
After the updating, it will show a message and you could take a look to the updating details in the event log