Royal TS and Royal TSX Encryption and Passwords
Thursday, September 19, 2013 9:59 AM
This blog post is dedicated to clear some myths and confusion around password protection and encryption of Royal TS/X documents (.rtsx files).
As many of you already know, Royal TS/X allows you to password protect documents and encrypt sensitive data in those documents. Regardless of your configuration, passwords are never saved unencrypted (clear text) in your document but if you password protect your document with a strong, complex password, all sensitive data is encrypted based on that password.
Password Protecting Documents
If you plan to store any credentials in one of your documents, we strongly recommend to password protect it. To do that, right-click or select the document you plan to store the credentials in the Navigation panel and edit the document properties. Go to the Encryption configuration page and specify a strong password. After you’ve done that, you are prompted to enter that password whenever you open a document or open the document properties.
Note: there’s a distinction between documents you create and the Application document! In fact, Royal TS/X can open multiple documents (in addition to the always present Application document) and each document can be encrypted with a different password.
Difference between Application and User Documents
Documents you create in Royal TS/X (user documents) are stored wherever you choose to save the document to (as .rtsx file). You can create and open multiple documents, with different objects and even use credentials or tasks from one document in another document. This is mostly done to separate connection objects from credential objects in order to easily and securely share connections in a team without the credentials. For more information about securely sharing documents, read this blog post or this help topic.
The Application Document is “special”. It holds default settings, configurations but also folders, tasks and credentials if you want to. The application document is always open, cannot be closed and is stored (by default) in the user profile on Windows in %appdata%\code4ward\code4ward.RoyalTS.UserPreferences.config or on OS X in ~/Library/Application Support/Royal TSX/UserPreferences.config
In general, the Application document is still a document and can also be encrypted.
Password Protecting the Application Document
Since the application document can also be used to store credentials, you can also password protect the application document using the View –> Options / Preferences dialog. When you password protect the application document, all sensitive data (such as passwords) are encrypted and you get prompted for that password every time you open Royal TS/X (because the application document is loaded at that time) and when you open the Options / Preferences dialog (in case you want to disable encryption or change the password).
What is Encrypted when you Password Protect a Document?
The file structure of Royal TS/X documents (.rtsx files) and the Application document is very simple and flexible. It is basically a simple XML file which contains a huge list of settings (like folders, connections, credentials, etc.). This huge list of settings consists of different values (such as name, description, RDP port, etc.). Some of those values (passwords, passphrases, protected custom fields, gateway password, etc.) are treated differently and are considered sensitive. All sensitive values are stored encrypted in the document. At any time, you can open the .rtsx file in notepad (or any other text editor) and look at those values. You will see that no password can be found in clear text. Just make sure you have a backup and do not mess up the XML file!
Password Prompt: Can I open a document without the password?
The answer to this question is yes and no. It depends which password is prompted.
Scenario 1: User Document Password Prompt
If you want to open a password protected Royal TS/X document (*.rtsx file) and do not remember the password anymore, you cannot open the document. You either enter the password or you cancel the dialog (which will cancel the file open command as well). There’s no way to get into the document without the password!
Scenario 2: Application Document Password Prompt
If you password protect the Application document using the View –> Options / Preferences dialog, you will get a password prompt when you start Royal TS/X. Now, the process for the application document is a bit different: If you cancel the dialog, you get the following:
This prompt is a fail safe in case you forgot the password. If you answer the question above with Yes, Royal TS/X will open the application document without the password but Royal TS/X is unable to decrypt all sensitive information in the application document (such as passwords). As a result, those passwords are all reset and blank. You still see the credential object but if you open the properties, you will not see any password.
You may wonder why we did it this way and here’s the answer: Without this fail safe, you wouldn’t be able to ever start Royal TS/X again without knowing the password for your application document.
In general, password protected user documents cannot be opened without the password – never ever. All sensitive data in documents are encrypted based on the password you chose and there’s no way for you, the application or anyone else to decrypt all the sensitive information without the password.
The same applies to the application document with the exception that we allow the user to open the document. Since the encryption password is unknown in this scenario, all encrypted (sensitive) information is lost in this process. The user can still start Royal TS, still sees all folders, objects, etc. he created but he has to re-enter all sensitive information.
It is also very important that you are aware of which of your documents are password protected. Protecting the application document using View –> Options –> Encryption / Preferences –> Encryption does not provide any protection to any other document. Protecting a user document only affects the document you chose to protect. When you are using multiple documents and you want to protect all of them, make sure you configure Encryption for each document individually.
I hope this clarifies how Royal TS’ security features work and also helps how to properly configure password protection according to your needs.