silenteh
commented
6 years ago Hi @MarkSonghurst thanks for the kind words. The library is indeed not built to be used in a distributed way. It will need some adjustments in order to support a multi-server setup. If that's ok for you to wait a couple of days, I should be able to modify the library so that it accepts an interface which reads and writes information from a central location. (For example: shared file system, a database or anything which will implement the interface).
MarkSonghurst
llonchj
Thanks for a great library.
Some internal behaviour of twofactor has caught me out in my distributed infrastructure. I noticed through a log message that the cryptoengine package used by twofactor writes a bunch of files to disk in a keys subdirectory:
example.com_nonce.key
example.com_salt.key example.com_private.key
example.com_secret.key example.com_public.key
After looking at the code I can see environment variable SEC51_KEYPATH can be used to declare the path for these files. However, I'm using twofactor in a highly scaled daemon, of which I run multiple instances (1 per CPU) on the same host and also run on other separate hosts. Each instance of my daemon needs to successfully encrypt or decrypt the totp struct which is stored centrally in a database.
Please can you confirm which of the cryptoengine files must be identical on all my hosts for totp encryption/decryption to work correctly across my infrastructure? I plan to pre-generate these files and install them to each of my hosts before my daemon is run. However from reading the cryptoengine source code, I think that some of the files are refreshed over time - please could you confirm which files these are (I think the salt, nonce and secret?), and would it matter if these refreshed files were different for every instance of my daemon?
Many thanks.