Data Governance Server Documentation Index
Configuration Reference Home

Argon2 Password Storage Scheme

Note: this component has a complexity level of "expert", which means that objects of this type are not expected to be created or altered. Please contact support for assistance if you believe that you have a need to create or modify this type of object.

The Argon2 Password Storage Scheme provides a mechanism for encoding passwords using the memory-hard Argon2 password hash and proof-of-work function, as described in draft-irtf-cfrg-argon2.

This password storage scheme implementation requires the Bouncy Castle JCE provider, which is not included with the Data Governance Server, in order to simplify United States export control restrictions imposed on the distribution of cryptographic functionality. If you wish to use this feature, you must first obtain the necessary library from the Bouncy Castle website (https://bouncycastle.org/). This implementation has been compiled and tested with version 1.65 of the library, available in file https://www.bouncycastle.org/download/bcprov-jdk15on-164.jar. This file should be placed in the "lib" directory beneath the server install root. The server will need to be restarted for this library to be available for use.

Parent Component
Properties
dsconfig Usage

Parent Component

The Argon2 Password Storage Scheme component inherits from the Password Storage Scheme

Properties

The properties supported by this managed object are as follows:


Basic Properties: Advanced Properties:
↓ description  None
↓ enabled
↓ iteration-count
↓ parallelism-factor
↓ memory-usage-kb
↓ salt-length-bytes
↓ derived-key-length-bytes

Basic Properties

description

Description
A description for this Password Storage Scheme
Default Value
None
Allowed Values
A string
Multi-Valued
No
Required
No
Admin Action Required
None. Modification requires no further action

enabled

Description
Indicates whether the Argon2 Password Storage Scheme is enabled for use.
Default Value
None
Allowed Values
true
false
Multi-Valued
No
Required
Yes
Admin Action Required
This password storage scheme implementation requires the Bouncy Castle JCE provider, which is not included with the Data Governance Server, in order to simplify United States export control restrictions imposed on the distribution of cryptographic functionality. If you wish to use this feature, you must first obtain the necessary library from the Bouncy Castle website (https://bouncycastle.org/). This implementation has been compiled and tested with version 1.65 of the library, which can be obtained from the Bouncy Castle website using the link https://www.bouncycastle.org/download/bcprov-jdk15on-165.jar. This file should be placed in the "lib" directory beneath the server install root. The server will need to be restarted for this library to be available for use.

iteration-count

Description
The number of rounds of cryptographic processing required in the course of encoding each password. Increasing this value makes the algorithm more computationally intensive, and thereby increases the cost of password-guessing attacks. However, it also limits the rate at which the server can encode passwords, which can adversely affect the performance of operations that require password encoding, as well as import performance for LDIF files that contain clear-text passwords.
The value must be greater than or equal to 1 and less than or equal to 8,388,607.
Default Value
None
Allowed Values
An integer value. Lower limit is 1. Upper limit is 8388607 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

parallelism-factor

Description
The number of concurrent threads that will be used in the course of encoding each password. Increasing this value reduces the number of password encoding operations that may be processed concurrently, and thereby increases the cost of password-guessing attacks. However, it can also limit rate at which the server can encode passwords, which can adversely affect the performance of operations that require password encoding, as well as import performance for LDIF files that contain clear-text passwords.
The value must be greater than or equal to 1 and less than or equal to 255.
Default Value
None
Allowed Values
An integer value. Lower limit is 1. Upper limit is 255 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

memory-usage-kb

Description
The number of kilobytes of memory that must be used in the course of encoding each password. Increasing this value limits the number of password encoding operations thta may be processed concurrently. If too many password encoding attempts are in progress, the aggregate memory consumption may exceed the amount of memory available for the server to use.
The value must be greater than or equal to 8 and less than or equal to 8,388,607.
Default Value
None
Allowed Values
An integer value. Lower limit is 8. Upper limit is 8388607 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

salt-length-bytes

Description
The number of bytes to use for the generated salt. The salt introduces random data into the password encoding process. This means that repeated attempts to encode the same password will yield different outputs. A sufficiently large salt prevents pre-computed dictionary attacks by ensuring that the number of possible encoded representations of any single password is too large to feasibly generate.
The value must be greater than or equal to 8 and less than or equal to 255.
Default Value
None
Allowed Values
An integer value. Lower limit is 8. Upper limit is 255 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action

derived-key-length-bytes

Description
The number of bytes to use for the derived key. The value must be greater than or equal to 8 and less than or equal to 512.
Default Value
None
Allowed Values
An integer value. Lower limit is 8. Upper limit is 512 .
Multi-Valued
No
Required
Yes
Admin Action Required
None. Modification requires no further action


dsconfig Usage

To list the configured Password Storage Schemes:

dsconfig list-password-storage-schemes
     [--property {propertyName}] ...

To view the configuration for an existing Password Storage Scheme:

dsconfig get-password-storage-scheme-prop
     --scheme-name {name}
     [--tab-delimited]
     [--script-friendly]
     [--property {propertyName}] ...

To update the configuration for an existing Password Storage Scheme:

dsconfig set-password-storage-scheme-prop
     --scheme-name {name}
     (--set|--add|--remove) {propertyName}:{propertyValue}
     [(--set|--add|--remove) {propertyName}:{propertyValue}] ...

To create a new Argon2 Password Storage Scheme:

dsconfig create-password-storage-scheme
     --scheme-name {name}
     --type argon2
     --set enabled:{propertyValue}
     --set iteration-count:{propertyValue}
     --set parallelism-factor:{propertyValue}
     --set memory-usage-kb:{propertyValue}
     --set salt-length-bytes:{propertyValue}
     --set derived-key-length-bytes:{propertyValue}
     [--set {propertyName}:{propertyValue}] ...

To delete an existing Password Storage Scheme:

dsconfig delete-password-storage-scheme
     --scheme-name {name}