Finding and/or changing the encryption secret
In the process of securing the server from unauthorized access, FotoWeb also encrypts vital information that is sent to clients. To this end, FotoWeb uses an encryption secret that should be unique and ensures that different sites cannot decrypt each others' data. This key is randomly generated upon installation and is different for each site on your FotoWeb server.
Where can the encryption secret be found?
The encryption secret is set per site.
- Open the Operations Center and go to the FotoWeb tab
- Locate the site you want to change and click on the Site Configuration button to modify it.
- Go to the Settings tab, expand the Behavior node and click on the Authentication node, where the Encryption Secret can be found.
It can then be copied to the clipboard and stored somewhere for safekeeping.
What are the consequences of changing the encryption secret?
NOTE: Changing the encryption secret will require you to restart the FotoWeb services.
All existing preview cache links become invalid after changing the encryption secret. While this is normally not an issue, it means that intentional embedding of preview links on external sites will break.
When migrating a site to a new server, it's important to keep the encryption secret to make sure any external asset links are retained when the new server is put in production. Otherwise, the stored URLs with encrypted data will no longer be recognized by FotoWeb.
If an encryption secret has been compromised (leaked to an unauthorized party) or been given to a third party that is no longer eligible to use it, then a new encryption secret should be generated as soon as possible. Changing the encryption secret of a site usually does not affect user experience in any significant way, except:
- All cached previews, thumbnails, and quick renditions get new URLs and have to be regenerated by FotoWeb. This can temporarily impact the performance of the server.
- For integrations only: Any third-party application which generates FotoWeb login tokens must be reconfigured to use the new encryption secret. To make this easy for system administrators, we strongly recommend storing the encryption secret in an adequately secured configuration file, rather than in application code.
- For integrations only: Any URLs of previews, thumbnails, and quick renditions stored in external applications become invalid and have to be requested again (e.g., using the FotoWeb API). In general, we do not recommend storing such URLs permanently. If an external application does store preview, thumbnail, or quick rendition URLs, then it should also store the necessary information to request updated URLs from FotoWeb (usually an asset URL is sufficient), and the application should be able to regenerate the stored cache links when the encryption secret has changed.