Install tool
The Install Tool allows you to configure the TYPO3 system on a very low level, which means, not only the basic settings but also the most essential settings can be changed.
Enabling and accessing the Install Tool
Introduction
A TYPO3 backend account is not required in order to access the Install Tool, so it is clear that the Install Tool requires some special attention (and protection).
TYPO3 comes with a two-step mechanism out-of-the-box to protect the Install Tool against unauthorized access:
- The
ENABLE_
file must exist in order for the Install Tool to be accessible.INSTALL_ TOOL - An Install Tool password is required. This password is independent of all backend user passwords.
The Install Tool can be found as a stand-alone application via https://
.
It is also accessible in the backend,
but only for logged-in users with administrator and maintainer privileges.
The ENABLE_INSTALL_TOOL
file
The ENABLE_INSTALL_TOOL flag file can be created by placing an empty file in one of the following file paths:
Changed in version 12.2
var/
transient/ ENABLE_ INSTALL_ TOOL config/
ENABLE_ INSTALL_ TOOL
typo3temp/
var/ transient/ ENABLE_ INSTALL_ TOOL typo3conf/
ENABLE_ INSTALL_ TOOL
You usually need write access to this directory on the server level (for example, via SSH, SFTP, etc.) or you can create this file as a backend user with administrator privileges.
Tip
Add the ENABLE_
file to your project's .gitignore
file to avoid accidentally committing and deploying it to production
environments.
Caution
This file should be removed or renamed after use to secure the Install Tool and prevent unauthorized access.
TYPO3 automatically
deletes the ENABLE_
file when you log out of the Install
Tool or if the file is older than 60 minutes (expiry time).
The file can be prevented from being deleted if it contains "KEEP_FILE" as content. In this case it will not be deleted automatically! Only use this feature during local development, for example in DDEV!
The Install Tool password
The password for accessing the Install Tool is stored using the
configured password hash mechanism set for the backend
in the global configuration file config/
:
<?php
return [
'BE' => [
'installToolPassword' => '$P$CnawBtpk.D22VwoB2RsN0jCocLuQFp.',
// ...
],
];
The Install Tool password is set during the installation process. This means, in the case that a system administrator hands over the TYPO3 instance to you, it should also provide you with the appropriate password.
The first thing you should do, after taking over a new TYPO3 system from a system administrator, is to change the password to a new and secure one. Log-in to the Install Tool and change it there.
Accessing the Install Tool in the backend
The System Maintainer role allows for selected backend users to access the Admin Tools components from within the backend without further security measures.
The number of system maintainers should be as low as possible to mitigate the risks of corrupted accounts.
Users can be assigned the role in the Settings section of
Install Tool -> Manage System Maintainers.
It is also possible to manually modify the list by adding or removing the
user's UID (be_
) in config/
:
<?php
return [
// ...
'SYS' => [
'systemMaintainers' => [1, 7, 36],
// ...
],
];
For additional security, the folders typo3/
and typo3/
can be deleted, or password protected on a server level (e.g. by a web
server's user authentication mechanism). Please keep in mind that
these measures have an impact on the usability of the system. If you
are not the only person who uses the Install Tool, you should
discuss the best approach with the team.
TYPO3 Core updates
In legacy installations the Install Tool allows integrators to update the TYPO3 Core with a click on a button. This feature can be found under Important actions, and it checks/installs revision updates only (that is, bug fixes and security updates).
This feature can be disabled by an environment variable:
TYPO3_DISABLE_CORE_UPDATER=1
Encryption key
The encryption
can be found in the Install Tool (module
Settings > Configure Installation-Wide Options).
This string, usually a hexadecimal hash value of 96 characters, is used
as the salt for various kinds of encryptions, checksums and validations
(for example for the cHash). Therefore, a change
of this value invalidates temporary information, cache content, etc.
and you should clear all caches after you changed this value in order
to force the rebuild of this data with the new encryption key.
Attention
Keep in mind that this string is security-related and you should keep it in a safe place.
Generating the encryption key
The encryption key should be a random 96 characters long hexadecimal string. You can for example create it with OpenSSL:
openssl rand -hex 48
It is possible to generate the encryption key via an API within TYPO3:
use \TYPO3\CMS\Core\Crypto\Random;
use \TYPO3\CMS\Core\Utility\GeneralUtility;
$encryptionKey = GeneralUtility::makeInstance(Random::class)->generateRandomHexString(96);