Warning
Potential for Data Loss: The steps detailed in the resolution of this article may result in a loss of critical data if not performed properly. Before beginning these steps, make sure all important data is backed up in the event of data loss. If you are unsure or unfamiliar with any complex steps detailed in this article, please contact Product Support for assistance.
Issue
Bog File Encryption Changes in 4.15
Product Line
TAC IA Series
Environment
- I/A Series N4 Enterprise Server
- I/A Series N4 Jace 9000
Cause
In Niagara 4.15, to continue to provide the best security practices, the user password hashes are now included in the encryption by the system passphrase.
Resolution
The system passphrase was introduced in Niagara 4 to provide additional protection to sensitive data from the Niagara system. Prior to Niagara 4.15, this included all reservable passwords (such as Niagara Network, database connection passwords, etc.), excluding the user's passwords as those are protected by being hashed. If you do not have the system passphrase for a station and need to unlock it through Workbench, both the user and encrypted data such as passwords will be removed where prior to Niagara 4.15 the user were left untouched as they are hashed.
If you are copying a station from a remote host which you do not have the system passphrase for, you will need to reset the passphrase to successfully copy the station onto a new remote host.
You will be required to enter the passphrase to edit or modify users or encrypted properties such as password fields for email, Niagara Network, etc. Prior to Niagara 4.15, you could edit and modify users without the passphrase, in Niagara 4.15 this will require the passphrase to decrypt the users.
Operation | Niagara 4.14 | Niagara 4.15 |
Modifying users in offline station bog file | Users can be modified without entering the station bog file passphrase | Station bog file passphrase is required to modify users |
Reset station bog file passphrase |
Removes reversable client passwords such as email, Niagara Network, etc. Hashed user passwords are not impacted |
Removes both reversable client passwords and hashed user passwords |
Understanding the System Passphrase in 4.15
Workbench or Supervisor
When Niagara is installed on the engineering or supervisor device for the first time, the user will set the passphrase for that device.
NOTE: When setting system passphrases, make sure that you take note of what they are. These should be shared with the owner of the building/site as the passphrase is owned by the device.
You can change the system passphrase in the Platform Administration screen. You will be required to enter the current passphrase in order to successfully change it to a new passphrase, highlighting the importance of providing it to the owner of the building/site.
JACEs & Remote Niagara Devices
The passphrase is set during the commissioning process of the remote device.
The remote device's passphrase can also be changed through the Platform Administration view with the same requirements as changing the Supervisor/device's passphrase.
Station Bog File Passphrases
In 4.15, you will have the option to encrypt the new station with either the local system passphrase or a custom passphrase in the New Station Wizard. This passphrase is required to unlock the bog file in the user home when configuring encrypted properties as well as when copying this station onto a remote host.
New Station Wizard:
Note: When selecting the "Use the system passphrase" option, this is the passphrase for the local host (Workbench)
Unlocking the station in the User Home:
Copying the Station to a remote host with a different passphrase:
Understanding how the station passphrase changes when using the Station Copier
When a station from a remote host to your local host, the passphrase which is encrypting the data will be the system passphrase of the remote host.
Copying a station from your local host to a remote host:
For a station that originated on your local host with a passphrase encrypting its sensitive data, once you enter the current station bog file passphrase and successfully copy the station onto the remote device, it will utilize the system passphrase of the remote device when copying from the remote device back to your local host.
Copying a station from a remote host to your local host:
When a station is copied from the remote host, it will automatically be encrypted with the system passphrase of that remote host.
What do I do if I do not know the system passphrase of the remote host I copied the station from?
In the user home, you are able to reset the passphrase of the station, however, you will lose the encrypted sensitive data including system and user passwords. In this workflow, you have the option to remove all users except for one new super user which you provide the new username and password in the Bog File Passphrase dialog: