Where does the salt come from?

stillnet · March 7, 2025, 10:08pm

I’m aware of this password utility for encrypting passwords for use in a datasource: https://github.com/bdw429s/Lucee-password-util/blob/master/models/PasswordManager.cfc

I know that box/cfconfig does something similar.

These tools reference a salt of sdfsdfs. Where does this salt value come from? I don’t see it in the Lucee source code. Is it possible to change it, if I wanted to?

Thanks.

Terry_Whitney · March 8, 2025, 7:08am

Salt is what you provide, ie its the encryption key. You could do something like this to generate a random value –<cfset salt = GenerateSecretKey("AES")>

Zackster · March 8, 2025, 9:01am

There’s a “salt” key in cfconfig.json

github.com

lucee/Lucee/blob/6.2/core/src/main/java/lucee/runtime/config/ConfigWebFactory.java

/**
 * Copyright (c) 2014, the Railo Company Ltd.
 * Copyright (c) 2015, Lucee Association Switzerland
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either 
 * version 2.1 of the License, or (at your option) any later version.
 * 
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 * 
 * You should have received a copy of the GNU Lesser General Public 
 * License along with this library.  If not, see <http://www.gnu.org/licenses/>.
 * 
 */
package lucee.runtime.config;

This file has been truncated. show original

stillnet · March 10, 2025, 2:48pm

Sorry maybe I did not word my question well.

In the code I posted, you can see that the salt used for encrypting and decrypting the datasource passwords is sdfsdfs. Perhaps this is not actually a ‘salt’, since it’s obviously using two-way encryption here so that the password can be decrypted and passed to a database server.

Regardless, we can see that third party tools use sdfsdfs when encrypting and decrypting Lucee datasource passwords. My question is, where does this sdfsdfs value come from? And can I change it?

I assume it was compiled into the Lucee source, but I could not find it when searching the Lucee source on github.

Thanks.

Zackster · March 10, 2025, 3:34pm

Ah, now I follow

github.com

lucee/Lucee/blob/6.2/core/src/main/java/lucee/runtime/config/ConfigWebUtil.java#L111


      
          	 * @return
          	 */
          	public static String encrypt(String str) {
          		if (StringUtil.isEmpty(str)) return "";
          		if (StringUtil.startsWithIgnoreCase(str, "encrypted:")) return str;
          		return "encrypted:" + new BlowfishEasy(getEncKey()).encryptString(str);
          	}
          
          	private static String getEncKey() {
          		if (enckey == null) {
          			enckey = SystemUtil.getSystemPropOrEnvVar("lucee.password.enc.key", "sdfsdfs");
          		}
          		return enckey;
          	}
          
          	/**
          	 * deploys all content in "web-deployment" to a web context, used for new context mostly or update
          	 * existings
          	 * 
          	 * @param cs
          	 * @param cw

so you can customize it using -Dlucee.password.enc.key="xyz" or lucee_password_enc_key=xyz

stillnet · March 10, 2025, 3:39pm

Thanks @Zackster !