HP ThinPro 6.2 - Administrator Guide
Encryption
Active Directory credentials and other secrets can be hashed for functions like screen-unlock and/or
encrypted and stored on the system for single sign-on.
The hash algorithm for creating a password’s hash can be selected from this menu. The default, scrypt, is a
well-accepted key derivation function. Argon2, another key derivation function is also available, as well as
conventional hashes SHA-256 and SHA-512. The advantage of a key derivation function is that it is
computationally expensive to compute a rainbow table that matches plain-text passwords to precomputed
hash values, whereas conventional hashes are meant to execute as fast as possible. All hashes are stored
with 128 or more bits of random salt which changes each time the password hash is computed and stored.
Encrypted passwords are used in situations where they can be reversed and supplied to connections when
they start (single sign-on). The encryption algorithm can be selected here from a wide variety supported by
OpenSSL. Unless there is a good reason to select a dierent value, HP recommends using the default
encryption algorithm, which is generally regarded as a modern, secure algorithm by the security community.
The number of salt bits and key bits will vary from one algorithm to another and you can get details by
pressing the info button next to the algorithm selector. Encryption keys are unique per thin client and are
stored in a place that only administrators can read. Furthermore, only certain authorized applications on the
system can do decryption.
Both hashes and encrypted secrets can be set with a time-to-live. If the amount of time between when the
secret was hashed or encrypted and the time when it is used or decrypted exceeds the time-to-live, the hash-
match or decryption will fail.
Options
Local user must log in: If this option is selected when Active Directory authentication is disabled, the login
screen still appears at startup and logout. In this situation, the local user or root credentials must be used to
gain access to the system.
Enable secret peek: If enabled, most password and secret entry elds on the system display a small eyeball
icon on the right side. When that eyeball icon is selected by pressing and holding down the left mouse button,
the secret is displayed in plain text as long as the mouse button is held down. As soon as the button is
released, the secret is again obscured.
Use domain text entry: If enabled, a separate Domain input eld is provided for the domain name where
applicable. If disabled, the domain is determined by the value entered in the User eld instead. For instance, if
the User eld contains “mike@mycorp”, the domain is assumed to be “mycorp”. If the user eld is “graycorp
\mary”, the domain is assumed to be “graycorp”.
Allow administrators to override screen lock: If enabled, you can override a locked screen and return it to
the login screen or ThinPro desktop, just as if the user had manually logged out of the thin client.
Customization Center
To open Customization Center:
▲
Select Setup > Customization Center in Control Panel.
The button at the top of the Desktop page can be used to switch between the ThinPro and Smart Zero
congurations. See Choosing an OS conguration on page 2 for more information about the dierences
between the two congurations.
Setup 51