New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changing the app key (re-encrypting the data in the database) #1095
Comments
You cannot "rekey" the database, and I'm not going to write a procedure to do so. It's just too much work for a very small use case. However, not all is lost. You can decrypt the database and encrypt it again, and lose only very little data in the process. First, keep the old encryption key in your php artisan firefly:use-encryption This will decrypt most (but not all) data in your database. You will lose access to the following fields, which I think will be easily salvageable:
All other data should be safe: your transactions, budgets, accounts, etc. To salvage your attachments, run: php artisan firefly:decrypt-attachment The error message will explain the required parameters. This command will decrypt the attachments you wish to restore. If you do this, you end up with a database that is almost usable with your new key. You will have to upload the attachments again, recreate any tags and clear the IBAN field from any entry in the table Let me know if this works. Remember to make backups! |
Oh and of course, all the best in 2018 for you as well, Nikolay! |
Hi James, Thank you for your detailed response and sorry for not answering sooner. I managed to "rekey" the database using a mixture of bash and PHP scripts. I will post the code I used later. The only drawback is that I couldn't rekey any IBANs, but I had none set anyway. Perhaps they are additionally encrypted for security reasons? Then I instantiated a new installation of Firefly and used the database. At first there were some issues, but a clean install seems to have fixed them. However, as a side note, I am experiencing a tad slower performance (the dashboard for the current month with <30 transactions loads in 3-6 seconds). This is on a Banana Pi ARM board with a dual-core 1GHz CPU and the latest Would you suggest a hint on how I could improve performance? I guess it has deteriorated due to the processor architecture, but perhaps I could do something about it. It's also not due to network latency/bandwidth limitations. I have neither Before I was using Firefly in a docker container on my working machine (a dual-core Intel i5 4-th gen CPU). For the test, I mirrored the installation on a Ubuntu 16.04 64-bit VM and it loads faster. Addition: This is more like the topic of yet another issue, but is there a way to have multiple accounts linked to the same financial data? Let's suppose that I would like to use Firefly to manage the finances of my household. Then my wife and kids should also be able to access it in order to add their expenses or revenues, shouldn't they? The only way to achieve this currently is to use a single account, as far as I am aware. Am I missing something? :-) Thank you in advance! |
That's no problem, I'm glad you replied. The IBAN is never decrypted, so it cannot be easily rekeyed. You could decrypt it, store it somewhere and overwrite it when you have the new key. In pseudocode, it would be something like: foreach($accounts as $account) {
$iban = $account->iban;
setNewKey();
$account->iban = $iban; // at this point the new app_key would be used
$account->save();
} This also applies to the other fields I've mentioned. There is no double encryption or anything. Firefly III will be slow on your device. I suggest something like memcached but it might not help a lot. Firefly isn't always as optimized as I wish it to be, and the queries can be very large. There are some places where I can still optimize but it's a trade-off between maintainability (of the code base) and optimization. There is no way to share data over accounts, except for sharing a password. There's some background info on this in the list of often requested features. |
Dear James, Thank you for your fast and detailed response! Would you like to elaborate on why Firefly III would be slow on my current device when you have the time? Is it because of the CPU architecture or the CPU frequency, or something else? I am trying to understand how to plan any future device upgrades and migrations. However, I will definitely try to set up memcached. :-) Sorry for not going through the FAQ again before asking - I forgot that this was discussed there. I think in my case, sharing the password would be sufficient. :-) Kind regards and all the best! |
Hi again, James, I successfully installed memcached
However, I cannot notice any performance improvement. I did not install Thanks in advance! |
I'm afraid there's not much to be done. The biggest bottleneck in Firefly III is the queries it executes upon the database. These are quite large, and not every view is very efficient. The code is efficient and clean, but the number of queries that are executed is very large. So I cannot suggest anything, at the moment. Make sure that LOG_LEVEL is at warning (saves on disk IO). Make sure the cache_driver is memcached, and the session_driver is also memcached. For the rest, it is up to me to optimize the views. |
Hey, James, Thank you for the advice! I applied the changes regarding the cache and session drivers. How can I reload the application so that it takes them into account? I thought that PHP should "see" the changes on the next requests without doing any reloads or restarts of In the current state, loading the dashboard takes around 6.2 seconds. I guess I can also take a look at the I read somewhere that a careful choice of the storage engine could increase performance - currently my tables use I guess that in all cases, |
You're welcome! And thanks for the feedback. Those setting should be applied immediately. SQLite will be worse, myISAM might help but be careful converting your database just like that. |
Dear James, Thank you for the helpful hints! I started with a loading time of the dashboard of around 10 seconds using Google Chrome and across the network. During the loading, I could see that the First, I tried to optimize the MySQL database by running tuning scripts (MySQLTuner and MySQL Tuning Primer). This did not provide much difference in speed. Then, I created a test database with Unfortunately, no joy with this, too. Then, I decided to optimize The most effective means to increase performance was to turn on and configure the So far, I am happy. After testing extensively, I will let you know if there are any shortcomings to this method. Addition: By the way, when does Firefly send e-mails? So far I have received some only on error. Does it also send on certain in-app events, such as for paying bills or related to a budget? |
I added the scripts for database re-encryption here: In case you need any help or assistance, please do not hesitate to contact me. |
Wow, this is amazing, nice work! I'm surprised OpCache changed so much, I had really expected the database to be the big bottleneck. I'm going to extend the FAQ and link to your scripts! 👍 |
Oh and to answer your question: it currently only sends a test email, a registration email and errors. More app events may be handled by the Laravel Broadcast code in the future (which could in turn send emails, but it's a slightly different way of working). |
Thank you very much for your support, James! Keep up the great work! |
Can do! |
Hey James,
Happy New Year!
Thank you for creating such a great piece of software!
I am running Firefly III version 4.6.12 and try to migrate from version 4.6.9.
Description of my issue:
I recently installed Firefly III version 4.6.12 using composer on my home server. I am trying to migrate from version 4.6.9 installed via Docker Compose.
Unfortunately, during the initial setup of the Docker Compose version, I left the default
SomeRandomStringOf32CharsExactly
key in the.env
file.I would like to migrate the database to the new version with an appropriate key. However, most of the data therein is encrypted as mentioned here.
Is there any script to re-encrypt the data in the database with the new key? Something like this works, but I don't have any experience with PHP to interface it with all encrypted fields in the database. Maybe you have developed such tool for testing purposes?
My database is not too big (a couple hundred records in the biggest tables) as I have been using the test installation for the past two months.
CSV import/export seems to be somewhat incomplete as a straight export cannot be directly imported afterwards. All fields need manual matching, but some of them do not have a matching type in the drop-down menu.
Thanks in advance!
The text was updated successfully, but these errors were encountered: