plain text admin_token is considered insecure #5

Closed
opened 2025-03-28 19:38:24 +00:00 by fauno · 5 comments
Owner

https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token

d2025-03-28T19:36:16.999666703Z [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure.
s2025-03-28T19:36:16.999863094Z Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`.
2025-03-28T19:36:17.000027003Z See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token
https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token ``` d2025-03-28T19:36:16.999666703Z [NOTICE] You are using a plain text `ADMIN_TOKEN` which is insecure. s2025-03-28T19:36:16.999863094Z Please generate a secure Argon2 PHC string by using `vaultwarden hash` or `argon2`. 2025-03-28T19:36:17.000027003Z See: https://github.com/dani-garcia/vaultwarden/wiki/Enabling-admin-page#secure-the-admin_token ```
Owner

I didn't have time to check but I assume the migration step is to:

  1. Export your password in plain text
  2. Hash it with the hash command (?)
  3. Re-insert it?

We could add this as documentation in the README.md.

I didn't have time to check but I assume the migration step is to: 1. Export your password in plain text 2. Hash it with the `hash` command (?) 3. Re-insert it? We could add this as documentation in the `README.md`.
Author
Owner

you can also do it from the admin web ui, that's what i did finally. the secret should be hashed anyway, so the issue is with autogenerated secrets (unless abra can be told to hash secrets! a wild feature request appears!)

you can also do it from the admin web ui, that's what i did finally. the secret should be hashed anyway, so the issue is with autogenerated secrets (unless abra can be told to hash secrets! a wild feature request appears!)
Owner

The logic is there but I'm not sure adding the dependency just for this specific use case is really worth it? Are there other apps that require it? If you fee like we should go for it, feel free to open an issue for abra.

I guess just docs in the README.md to close this one then here.

[The logic](https://docs.coopcloud.tech/maintainers/handbook/#how-do-i-change-secret-generation-characters) is there but I'm not sure adding the dependency just for this specific use case is really worth it? Are there other apps that require it? If you fee like we should go for it, feel free to open an issue for `abra`. I guess just docs in the `README.md` to close this one then here.
Owner

@fauno the readme already points out this as a step

5. `abra app cmd -l YOURAPPDOMAIN insert_vaultwarden_admin_token` will insert a hashed `admin_token` as password as recommended by vaultwarden. Will echo the admin_token to your cli.

maybe we can close the issue for now until abra supports doing that using app secret generate?

@fauno the readme already points out this as a step https://git.coopcloud.tech/coop-cloud/vaultwarden/src/commit/01b64fce3dd32ac6b1af001d2bea924af86b4a55/README.md?display=source#L24 maybe we can close the issue for now until abra supports doing that using `app secret generate`?
Author
Owner

i'm never sure in which context abra.sh commands run :P

i'm never sure in which context abra.sh commands run :P
fauno closed this issue 2026-03-10 14:40:55 +00:00
Sign in to join this conversation.