Add initial content (with issues).

author: supahgreg <supahgreg@users.noreply.github.com> 2025-10-05 19:09:04 +0000
committer: supahgreg <supahgreg@users.noreply.github.com> 2025-10-05 19:09:04 +0000
commit: a00ef6440f98b0ff1052e5cf75b89d8dd3a38330 (patch)
tree: 79d20824e86cafa42075708ab9a76f262f004cb6 /Encryption.md
parent: 4591dcb22290576dbf114fff1c3f3b0ca5ffaf8d (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/Encryption.md b/Encryption.md
new file mode 100644
index 0000000..7f77138
--- /dev/null
+++ b/Encryption.md
@@ -0,0 +1,15 @@
+# At rest encryption
+
+Transparent at rest encryption is optionally supported for sensitive data stored in the database, currently limited to stored session data and passwords for feeds with authentication enabled.
+
+To enable, [global configuration](GlobalConfig.md) option `TTRSS_ENCRYPTION_KEY` should be set to a 32-byte hex string of random bytes, which may be generated using CLI like this:
+
+```sh
+php ./update.php --gen-encryption-key
+```
+
+If enabled, existing plaintext login sessions are automatically encrypted when used, plaintext feed passwords are encrypted on feed update.
+
+!!! warning
+
+    Automatic encryption of plaintext data is a one-way process. If you decide to disable `TTRSS_ENCRYPTION_KEY` afterwards, all encrypted sessions would become invalid and you will get logged out. Feed passwords would become unreadable until you either enable encryption back using same key or edit feeds manually.
author	supahgreg <supahgreg@users.noreply.github.com>	2025-10-05 19:09:04 +0000
committer	supahgreg <supahgreg@users.noreply.github.com>	2025-10-05 19:09:04 +0000
commit	a00ef6440f98b0ff1052e5cf75b89d8dd3a38330 (patch)
tree	79d20824e86cafa42075708ab9a76f262f004cb6 /Encryption.md
parent	4591dcb22290576dbf114fff1c3f3b0ca5ffaf8d (diff)