Skip to main content
Documentation & User Guides | Fotoware

Finding and/or changing the encryption secret

In the process of securing the server from unauthorized access, FotoWeb also encrypts vital information that is sent to clients. To this end, FotoWeb uses an encryption secret that should be unique and ensures that different sites cannot decrypt each others' data. This key is randomly generated upon installation and is different for each site on your FotoWeb server.

Where can the encryption secret be found?

The encryption secret is set per site.

For the relevant site, from the Tools menu (cogwheel icon), go to Site Configuration > Integrations > Legacy Integrations.

encryption_secret.png

You can find the encryption secret in the Encryption secret section. It can then be copied to the clipboard and stored somewhere for safekeeping.

What are the consequences of changing the encryption secret?

Note: Changing the encryption secret requires you to restart the FotoWeb services.

All existing preview cache links become invalid after changing the encryption secret. While this is normally not an issue, it means that intentional embedding of preview links on external sites will break.

When migrating a site to a new server, it's important to keep the encryption secret to make sure any external asset links are retained when the new server is put in production. Otherwise, the stored URLs with encrypted data will no longer be recognized by FotoWeb.

If an encryption secret has been compromised (leaked to an unauthorized party) or given to a third party that is no longer eligible to use it, a new encryption secret should be generated as soon as possible. Changing the encryption secret of a site usually does not affect user experience in any significant way, except:

  • All cached previews, thumbnails, and quick renditions get new URLs and must be regenerated by FotoWeb. This can temporarily impact the performance of the server.
  • For integrations only: Any third-party application that generates FotoWeb login tokens must be reconfigured to use the new encryption secret. To make this easy for system administrators, we strongly recommend storing the encryption secret in an adequately secured configuration file rather than in application code.
  • For integrations only: Any URLs of previews, thumbnails, and quick renditions stored in external applications become invalid and must be requested again (e.g., using the FotoWeb API). In general, we do not recommend storing such URLs permanently. If an external application does store preview, thumbnail, or quick rendition URLs, then it should also store the necessary information to request updated URLs from FotoWeb (usually an asset URL is sufficient), and the application should be able to regenerate the stored cache links when the encryption secret has changed.