Note: there is no guarantee that this is secure and definitely requires extensive security testing before it can be used in production settings. For now, you should probably just use AWS KMS. This is meant as a final resort for a private repository, such that you have time to change your passwords if the data is accidentally made public. Make sure you are changing your passwords at most every 3 months.
Pass-It-On is a password manager for:
- Giving password access to multiple users
- Uses LABELs or USER GROUPS (i.e. sets of users who can use the same keys or secrets)
- Allows you to store your keys in a code repository
- Automatic retrieval at server start for autoscaling purposes
Encrypting the access keys
- Add:
- ADMIN fetches a public or private key
- Encrypts with user's public key
- Append:
json.item_name = "key_encrypted_by_password"- Password is salted and hashed using PBKDF2
- Fernet: encrypts user's private key using hash
- Password is salted and hashed using PBKDF2
- Remove:
delete json.item_name
Accessing the passwords, themselves
Types:
- Read: private key
- Write: public keys
Group public keys are locked with GPG such that groups can be part of other groups
A user that has read and write privileges of everything
- Add user
- Create group
- Delete user
- List groups
- List users
- Access available keys
- Read passwords
- Write password
Modes:
- Administration
- Injection
A mode where you manage the password store
- Initialize store
- Add user to group
- Create new group
- Add keys to group
- Add / Modify / Delete users
- Add / Modify / Delete / List keys
- Change passwords
- Run the application
- Enter username and password
- Choose options available to that user
Run this inside your application and the passwords you have been authorized access to will be injected into the development environment
There are two ways of being authenticated in injection mode:
- Putting your username and password inside
PIO_USERandPIO_PASS, respectively. - Following the prompt.
- Going to start using this standard for javascript
- Promises > callbackss
This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org/ for more information.
The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.
##TODO
- travis-ci tests fail
- command line commands (
pio.js) - code coverage
- jsdocs
- operations:
- removeSecret: remove access to user / group
- deleteSecret: delete memory to secret (give warning:)
- addSecretToGroup: if you have the public key to a group, you can add a secret to the
- changeGroupKeys: finish/fix implementation
- figure out grouping stuff
- make
Authversion of public-facing functions to auto-decrypt pub/priv keys because operations should be only thing that talks to security - allow input of admin email address