Hello, I’ve been trying to setup a new Vaultwarden v1.31.0 instance via podman quadlets that uses an Argon2 Admin Token. So far though, I always get the startup error: “The configured Argon2 PHC in ADMIN_TOKEN is invalid: ‘invalid Base64 encoding’”.
Tokens and hashes are generated like so:
# Use gpg dry-run to generate random passwords without worrying about profile polution.
# Additionally, it does not add linebreaks to long random strings like openssl does.
gpg --dry-run --gen-random --armor 1 64 > ./secrets/admin_token 2> /dev/null
#--------------------
# Output: g/v0NpDZZT4ijV/F47cen0scu3DpfhJ+uglQ2ZZ/wvXNKeeWisiy3djezygmie3Zdf5O5O+B4CLwEW4mEXQazg==
# argon2 is finicky about newlines, so use this form to ensure proper input.
echo -n $(cat ./secrets/admin_token) | argon2 "$(gpg --dry-run --gen-random --armor 1 32 2> /dev/null)" -e -id -k 65540 -t 3 -p 4 > ./secrets/admin_token_argon2
#-------------------
# Output: $argon2id$v=19$m=65540,t=3,p=4$WGJLcDE4dGdkVC9GNlg1QzRFRzRkQmlCTFZIeHp1TjJRelBMWU5ZOU1STT0$CioUDCaoBz0m76cyrWf7+wFxyi499s1KjpgCYUYhnJo
I have verified that the argon2 hash is valid using an Argon2 Validator.
As this is running on podman quadlets, Docker Compose string interpolation shouldn’t apply. But I gave using the | sed 's#\$#\$\$#g' workaround a try anyways. I thought it worked at first, but Vaultwarden had just reverted to treating it like a plain text string.
Any idea of what’s going on here?
It seems to work for me just fine. I used your argon2 string and the password you generated.
Looks like the podman quadlets are doing something to the string, or they somehow do not respect new env variables maybe. I have no clue actually.
To get a better view of this, i suggest to configure DISABLE_ADMIN_TOKEN=true so no admin token is checked at all, but this will give you the opportunity to see what Vaultwarden sees as the value configured for the ADMIN_TOKEN via the Settings Page under General Settings and then at the bottom Admin token/Argon2 PHC
Use either that, or try to login into the pod/container and run env | grep ADMIN_TOKEN and see what it has there.
But the strings you provided work just fine on my test environment.
I also had no issues with the values you provided.
How do you configure the environment variable? If you use an EnvironmentFile make sure you don’t have a space at the end of the line as it seems to be preserved.
I store the argon2 hash of the admin_token as a podman secret configured to map to the ADMIN_TOKEN environmental variable in the container. This is possible because podman secrets (unlike docker secrets) can be exposed to the container either as a file or as an environmental variable.
So, after being generated using the code in the OP, I run podman secret create admin_token "./secrets/admin_token_argon2" to create the admin_token podman secret containing the argon2 hash.
The vaultwarden quadlet is defined like so:
[Unit]
Description=Vaultwarden Password Manager
Requires=postgres.service
After=postgres.service
After=network-online.target
[Container]
Image=ghcr.io/dani-garcia/vaultwarden:latest
Label="io.containers.autoupdate=registry"
Environment="ROCKET_PORT=8080"
Environment="ORG_EVENTS_ENABLED=true"
Environment="EVENT_DAYS_RETAIN=365"
Secret=admin_token,type=env,target=ADMIN_TOKEN
Secret=vaultwarden_database_url,type=env,target=DATABASE_URL
Mount=type=volume,source=vaultwarden_vol,destination=/data/
Timezone=local
Network=vault.network
IP=10.89.0.3
[Service]
Restart=always
[Install]
WantedBy=default.target
Which exposes the admin_token secret to the container as the ADMIN_TOKEN environmental variable.
So, have you checked and verified what is presented to Vaultwarden?
Just finished that actually. Turns out that argon2 outputs a hash with a newline at the end, which means secrets created from that output also contained a newline. I was able to fix this by piping argon2 output to tr -d '\n' prior to saving it to file.
I’m no longer getting that error when starting up vaultwarden, so I think the issue is fixed.
1 Like