Security
- Secure-by-default secrets for fresh installs — the Manager used to fall back to hardcoded
JWT_SECRETandENCRYPTION_KEYvalues when the operator didn't set them in environment. Those defaults were public knowledge (the repo is open source), meaning anyone could forge a valid login token or decrypt stored MikroTik device passwords from a leaked database file. On a fresh install the Manager now auto-generates strong random values for both and persists them todata/.secrets.json(file mode0600). A startup warning asks you to back up this file — losing it invalidates all sessions and makes encrypted device passwords unrecoverable.
Upgrading from 1.16.3
No action needed. Existing deployments that relied on the hardcoded defaults keep working: the Manager detects an existing data/mikr.db, preserves the legacy defaults to data/.secrets.json, and logs a loud ACTION REQUIRED warning each start until you rotate. To rotate:
- Generate new values:
openssl rand -hex 48 # JWT_SECRET openssl rand -hex 32 # ENCRYPTION_KEY
- Set both as environment variables (in
docker-compose.ymlenvironment:or.env) or editdata/.secrets.json. - Re-enter device passwords in the UI so they're re-encrypted under the new key.
- Restart the container.
If you already had JWT_SECRET and ENCRYPTION_KEY set in environment, you are unaffected — env always wins.