Slackbot.ini Encryption
Metric Insights Slackbot must be open to the web in order to process requests submitted by users via the Slack app.
1. Security Provisions
Sensitive Data fetched by Metric Insights Slackbot is protected against:
- Unauthorized User access
- For details, refer to Metric Insights Slack App Security
- Malicious third-party breaches (mitigated through encryption as described in this article)
2. Implementation of Encryption Strategy
ENCRYPTION METHOD
- In order to protect data accessed by the Metric Insights Slackbot service, its configuration file (slackbot.ini) is encrypted with AES-128.
- Slackbot.ini is encrypted using pyca/cryptography which implements Fernet encryption. A message that is encrypted using this method cannot be manipulated or read without a key.
- To generate the key, we employ PBKDF2 (Password Based Key Derivation Function 2).
ENCRYPTED VALUES
- A "Secret Key" is used to encrypt access credentials (app_id and app_key) allowing the Slackbot service to connect to the Metric Insights application for any required information.
3. The process of encrypting Slackbot.ini
PREREQUISITES
- The Slackbot configuration file is encrypted after Metric Insights Slackbot has been installed and launched on a server
- A configuration file with default values is automatically created at
/opt/mi/iv/engine/config/slackbot.ini
STEP 1. The first time Slackbot is launched, the service will look for the bot_instance variable
- If the variable is undefined, app_id and app_key credentials will be identified as unencrypted
- The bot_instance variable is then assigned a hash value (GUID)
STEP 2. app_id and app_key fields are encrypted with a "Secret Key" consisting of:
- bot_instance hash value (generated every time the Slack App is installed)
- commit hash value (stored inside the Slack App docker container)
bot_instance hash value is unique for each Metric Insights Slackbot installation as well as for each instance of the docker container.
commit hash value is different for each release version of Slackbot.
When the !config command is used to change the app_id (Metric Insights External Application ID) and app_key (Metric Insights External Application Key), the slackbot.ini file is updated and the access credentials are encrypted automatically.
- To learn more about using !config and other commands with the Slack App associated with the Slackbot service, please reference Managing Slack App settings.
4. How the Secret Key is generated
The hash function generating the "Secret Key" uses the following Input Parameters :
- Algorithm: an instance of HashAlgorithm
-
Length (int): desired length of the derived key in bytes
- Maximum is (232 - 1) * algorithm.digest_size
-
Salt (bytes): a salt
- Secure values are 128-bits (16 bytes) or longer
-
Iterations (int): the number of iterations to perform the hash function
- This parameter can be used to control the length of time an operation takes
Parameter Values transferred into the function are as follows:
- algo = SHA256
- length = 32
- salt = commit hash (from the docker container)
- iterations = 100000
PBKDF2 applies a hash function ("SHA256") to the input password (GUID) with a salt value and repeats the process many times (in our case 100,000) to produce a derived key.
The "Secret Key" is then used to encrypt the app id and app key access credentials in slackbot.ini as described in Section 3 of this Article.