Configure BeyondInsight for Unix & Linux

You can customize the console using the pbsmc.toml.default file located in:

  • Linux: /etc/pbsmc
  • Windows: %ProgramFiles%\PBSMC

First, you must create a copy of the file using the name pbsmc.toml. You can include only the settings that you want to customize.

The BIUL API uses a markup language called TOML that is hierarchical. The settings are divided into sections and keys. Be sure to include the section title in pbsmc.toml. For example, if you want to change the default port number, the text will look similar to the following:


Apply proper security settings on the TOML file. The file owner requires Read and Write privileges.

You can configure the following settings.


By default, the console creates a SQLite database in /etc/pbsmc/pbsmc.sqlite on Linux, or in %ProgramFiles%\pbsmc on Windows. This can be changed to another location.



Default: sqlite3

The dialect key allows a user to specify what type of database BIUL will connect to.


Default: The default is OS specific, but maps to using an sqlite database file with the following config:


The url is a key that allows a user to provide connection information to our database driver.

server=pbsmc-sqlserver;user id=sa;password=Hello2018;port=1433;database=pbsmc


By default, the console runs on port 4443. Before changing this value, stop the service.


By default, the BeyondInsight for Unix & Linux server runs as the root user. In a Linux environment, you can override this default behavior to run as a dedicated user with only access to the BIUL resources.

  1. Create a Linux user and group you want to use for running BeyondInsight for Unix & Linux.
useradd biul
groupadd biul
usermod -a -G biul biul
  1. Stop the BeyondInsight for Unix & Linux service using systemctl stop pbsmc.
  2. Specify this user and group as a value in the BeyondInsight for Unix & Linux config file (pbsmc.toml), in the server section, via the key runprivs, separated by a colon (user:group).
runprivs = "biul:biul"

See also the sample config file included with the installation, /etc/pbsmc/pbsmc.toml.default.


Default: :4443

The port that BIUL listens for connections on.


Default: false

A setting to disable BIUL from attempting to initialize.


Default: ""

The path to where installers are stored on disk.


Default: An OS specific folder where uploads are temporarily stored until they can be moved to the softwarepath.


Default: 14

The bcrypt cost factor for hashing passwords. Values less than 12 use 12. Values greater than 20 use 20.


By default, the console supports encrypted HTTPS connections using automatically generated, self-signed certificates. The console serves only HTTPS traffic on the configured port, unless explicitly configured to fall back to insecure HTTPS in the pbsmc.toml configuration file. A custom certificate pair may also be provided and placed in the configuration file.



Default: true

Whether to use TLS 1.2+ to secure connections to BIUL or not.


Default: unset

The location on disk to use as the public key/cert for encrypting communications.

If key and cert are provided, key pairs stored in the database are not used.


Default: unset

The location on disk to use as the private key for encrypting communications.

If key and cert are provided, key pairs stored in the database are not used.

Worker Pool

Console tasks are run in a concurrent pool of processes. The default number of processes running at a time is 20. You can increase the pool size to allow jobs to complete faster. However, the server performance might lag, and decreasing the pool size has the opposite effect.



Default: 20

The number of workers that are allowed to operate performing remote actions simultaneously.


The logging level configuration.



Default: info

The level of logging to write to disk.


Default: 365

The maximum age of rotated log files. When a logfile is rotated it has the timestamp of when it was rotated added to the logfile's name. Any logfiles that are more than maxage days old when the next file is rotated are deleted.

If a logfile happens to be rotated every 10 days, then it is possible for a logfile to exist on disk for more than 365 days.

If set to zero (0), old logfiles are not deleted.


Default: 10

The size of a logfile in number of megabytes before the log is rotated.

If set to zero (0), the logfile is not rotated.

Encryption Keys

Encryption keys for BIUL use base64 encoded AES-256 encryption. The key secures sensitive data stored in the database. More than one key can be used at a time. The active key in the pbsmc.toml file is the key currently in use. If you start BeyondInsight for Unix & Linux without an encryption key, one is generated for you. You can review the comments in the pbsmc.toml.default file.

revoked= [
known = [



Default: unset

This is the key that is used to encrypt all secrets in the database. If not provided, it is created and the settings file mutated.


Default: dYFnQ8eNHRTnqRahhqwbpizzrEQVK7LK, 8vkb8JJgWRy5h1C421zy2q0sS7i2mdw2

This is a list of keys that are no longer active; any secrets that are encrypted with the keys should be re-encrypted with the active key.


Default: unset

This is a list of keys that BIUL uses to decrypt secrets. known is used as a step in the process of rolling a key. In the event of a cluster of BIUL servers, it is necessary to synchronize keys to all servers before the process of re-encrypting all secrets occurs.

This allows a key to be known by all servers, then you can update active to the new key, potentially moving an old key to revoked, and then begin the process of moving other servers to update their active key to the new key.

This allows all secrets to be readable by all servers.


You must restart the service to apply changes.

SSH Cipher and Key Exchange Configuration



Default: a list containing the values aes128-gcm, chacha20-poly1305, aes128-ctr, aes192-ctr, aes256-ctr

This is used to configure the list of allowed ciphers to be used while connecting to remote hosts.

Supported values:

  • aes128-ctr
  • aes192-ctr
  • aes256-ctr
  • aes128-gcm
  • chacha20-poly1305
  • arcfour256
  • arcfour128
  • arcfour
  • aes128-cbc
  • 3des-cbc

key exchanges

Default: a list containing the values curve25519-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384

This is used to configure the list of allowed key exchange algorithms used to secure the initial connection to remote hosts.

Supported values:

  • curve25519-sha256
  • ecdh-sha2-nistp256
  • ecdh-sha2-nistp384
  • ecdh-sha2-nistp521
  • diffie-hellman-group14-sha1
  • diffie-hellman-group1-sha1
  • diffie-hellman-group-exchange-sha256
  • diffie-hellman-group-exchange-sha1


Increasing the value of the parameters makes it more difficult for an attacker to crack a given password, but that increase in security slows down the login process for a legitimate user.


Unless you fully understand the implications of adjustments to the parameters below, we recommend using the default parameters. For help with this specific configuration, contact BeyondTrust Support.



Default: 65536

The CPU/Memory cost parameter. N is the most commonly adjusted parameter. N is the main factor governing how much memory the algorithm uses.

Value for N must be:

  • Greater than 1
  • A power of 2
  • Less than 2^(128*r/8)


Default: 8

The block size parameter.

Value for r must be greater than 0.


Default: 1

The degree of parallelism parameter.

Value for p must be greater than 0.