System and file passphrases

All Niagara 4 platforms have a system passphrase (password), used to encrypt sensitive information, such as client passwords stored in BOG files and station databases (config.bog files) or station backup distribution (.dist) files. This passphrase increases security for the files that contain critical information. In various operations, you are prompted to enter the passphrase, such as when copying stations or restoring station backups in remote platforms.

This system passphrase applies to the JACE-8000 and JACE-9000 controllers.

The following areas of the framework are affected by passphrase implementation:

  • Provisioning

  • Distribution File Installer to restore a backup .dist file. If you do not know the passphrase for a .dist file you cannot install it.

  • File Transfer Client

  • Station Copier to transfer a local file.

  • Back up

  • Commissioning

  • Export Tags

The sensitive information in files is protected with encryption, either by encrypting the information within the file or by encrypting the whole file. How encryption is applied depends on the expected portability of the file. Files located under the daemon User Home (files that belong to the system) are encrypted using a strong, randomly generated key that exists only on that system. While files located under the Niagara User Home (that is, portable files that can be sent to many systems) are encrypted using a key derived from the user-defined system passphrase entered during software installation or when the system passphrase is changed.

Due to the different types of encryption that are used for the system and for portable locations, when transferring files between the daemon User Home and another User Home you must use the Workbench platform tools (Station Copier, File Transfer Client or Backup) which convert files to use the correct encryption key for the target location.

CAUTION: Do not use Windows Explorer to copy files between the daemon User Home and other User Homes because without the proper encryption those files may not be readable.

If the file passphrase and system passphrase are the same, a station copy proceeds without prompting for a passphrase.

If the file passphrase is not the same as the target host system passphrase then you are prompted to enter the file passphrase, as shown.
Figure 1. Station Transfer Wizard prompt for bog file passphrase


  • For system-to-portable transfers

    You can get portable copies of files located under the daemon User Home by any of these methods:

    • Make a backup from the Platform Administration view

    • Make a backup from a running station

    • Use either Station Copier or File Transfer Client from the Platform Administration view

    The resulting local, portable copies and backup files are protected with a file passphrase.

  • For portable-to-system transfers

    Alternately, when you use the Distribution File Installer to restore a backup .dist file, or Station Copier to transfer a station from your Workbench directory to a controller, the file’s passphrase is validated and used to translate the data back into the proper system encryption format for use under the daemon User Home.

CAUTION: It is important to remember the system passphrase and keep it safe. If you lose the system passphrase, you will lose access to encrypted data.