AdministrationConfiguration Files

Security Configuration

Configure security-related settings for your Gigantics instance, including session keys and encryption.

Configuration Properties

The security configuration properties in your config/default.yaml file control session management and data encryption:

secretSessionKey: session secret
encryptionKey: my-secret-key

Property Details

secretSessionKey

  • Type: String
  • Default: 'session secret'
  • Description: Secret key used for signing session cookies. Should be a random, unique string in production.

encryptionKey

  • Type: String
  • Default: 'my-secret-key' (development) or randomly generated (production)
  • Description: Key used for encrypting sensitive data in the application.

Examples

Development Configuration

secretSessionKey: session secret
encryptionKey: my-secret-key

Production Configuration

secretSessionKey: 'a-very-long-random-secret-key-for-sessions'
encryptionKey: 'another-very-long-random-secret-key-for-encryption'

Generating Secure Keys

For production environments, you should generate secure random keys:

Using OpenSSL

# Generate a 32-character random string
openssl rand -base64 32

# Generate a 64-character random string
openssl rand -hex 32

Using Node.js

# Generate a random string using Node.js
node -e "console.log(require('crypto').randomBytes(32).toString('hex'));"

Best Practices

  1. Unique Keys: Use different keys for secretSessionKey and encryptionKey
  2. Key Length: Use at least 32 characters for each key
  3. Randomness: Generate keys using cryptographically secure random generators
  4. Storage: Store keys securely and never commit them to version control
  5. Environment: Use different keys for development, staging, and production environments
  6. Rotation: Regularly rotate encryption keys in production environments

Environment-Specific Configuration

The application automatically uses different default keys based on the environment:

  • Development: Uses fixed default keys for convenience
  • Production: Generates random keys for security
  • Test: Uses test-specific keys

You can check your environment with:

echo $NODE_ENV

Testing Configuration Changes

After modifying security configuration:

  1. Restart the application:

    ./gig stop
./gig start

  2. Users may be logged out and need to re-authenticate

  3. Test that sessions work properly

  4. Verify that encrypted data can still be decrypted

Note that changing encryption keys may make previously encrypted data unreadable, so be careful when rotating keys in production.

Overview

Previous Page

Server Configuration

Next Page

On this page

Security ConfigurationConfiguration PropertiesProperty DetailssecretSessionKeyencryptionKeyExamplesDevelopment ConfigurationProduction ConfigurationGenerating Secure KeysUsing OpenSSLUsing Node.jsBest PracticesEnvironment-Specific ConfigurationTesting Configuration Changes