passitron

module
v0.0.0-...-de0f673 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 20, 2020 License: Apache-2.0

README

Build status Download

What is this?

Software for a separate trusted hardware device ("hardware security module") which essentially acts just like Keepass and only serves the function of storing secrets.

If you use Keepass on your PC and your PC gets compromised by a virus or a hacker, it's game over. But if you use a separate device for storing secrets, your PC compromise does not expose your secrets. This software only exposes your secret when you physically press a button on the device - and only exposes one secret per push acknowledge.

Features

  • No cloud
  • Physical acknowledgement to expose a password by pressing a button on a U2F key (YubiKey for example), so a hacker would need local, physical, access to steal your secrets.
  • Supported secrets:
    • Passwords
    • OTP tokens (Google Authenticator)
    • SSH keys (via SSH agent protocol)
    • Keylists ("printed OTP list")
    • Freetext (any text content is treated as secret data)
  • Create, view and list secrets in a folder hierarchy.
  • Export database to Keepass format (for viewing in mobile devices when traveling etc.)
  • Import data from Keepass format

I'm using Raspberry Zero W with wooden case.

It doesn't matter much which hardware you use, as long as you don't run anything else on that system - to minimize the attack surface. For such a light use Raspberry Pi is economical, although this project runs across processor architectures and operating systems because Golang is so awesome. :)

Download & running

Click the "Download" badge at top of this readme and locate the binary for your OS/arch combo:

  • For Raspberry Pi, download pism_linux-arm
  • For Linux PC, download pism_linux-amd64

Note: don't worry about public.tar.gz - it's downloaded automatically if it doesn't exist.

Rename the downloaded binary to pism.

Pro-tip: you can download this directly to your Pi from command line:

$ mkdir passitron/
$ cd passitron
$ curl --fail --location -o pism <url to pism_linux-arm from Bintray>

# mark the binary as executable
$ chmod +x pism

Installation & running:

$ ./pism server init-config admin yourpassword
$ ./pism server install
Wrote unit file to /etc/systemd/system/passitron.service
Run to enable on boot & to start now:
        $ systemctl enable passitron
        $ systemctl start passitron
        $ systemctl status passitron

Looks good. You should now be able to access the web interface at http://<ip of your pi>.

How to build & develop

How to build & develop (with Turbo Bob, our build tool). It's easy and simple!

Getting to know the codebase

See commit where I added support to storing an email field.

Directories

Path Synopsis
cmd
pkg
envelopeenc
Envelope encryption - envelope contains secret content encrypted with NaCl secretbox symmetric key, and that key is separately encrypted for each RSA public key recipient.
Envelope encryption - envelope contains secret content encrypted with NaCl secretbox symmetric key, and that key is separately encrypted for each RSA public key recipient.
slowcrypto
Crypto operations designed to be slow (internally utilizing PBKDF2)
Crypto operations designed to be slow (internally utilizing PBKDF2)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL