Skip to main content

SharedVault is a small application that allows you to define a secret that will require multiple people to unlock.

Project description

SharedVault

SharedVault is a small application that allows you to define a secret that will require multiple people to unlock.

How does it work ?

At the core, SharedVault uses Shamir's Secret Sharing algorythm (some code is directly copied from the wikipedia page). This allows us to define a key(M, N) and N parts where the key can be recovered from M parts. On top of that we add a layer where each user has a public/private key that encrypts the shares they hold. This allows the following features:

  • A user change chose and change their password.
  • A user has a single password to remember (instead of one per share).
  • We can grant users access without having to communicate the share over untrusted network.

Security consideration

Private keys

Private keys are stored in the main database and encrypted with the user's password. A weak/leaked password will compromise the private key and therefore all the shares it can decrypt.

Secret encryption

The secret itself is encrypted using the Fernet algorithm. The key is derived with Scrypt from the secret number generated by Shamir's Secret Sharing algorithm. Note that I have no idea what I am doing so it is likely that there is a flaw related to the scrypt configuration that could compromise a secret's safety.

Revoking access

Everytime a secret is updated we generate a brand new set of keys for the new encryption. This allows us to deny future access to a user that has their key removed from the secret.

Deletion

SharedVault uses the database you provide, therefore it is impossible for us to protect against deletion since the database itself could be deleted.

Past password/keys

For the same reason, we cannot enforce that previous version of the database have been permanently deleted. This means that if an old password or key leaks, and the past database is available, then that key is compromized.

How to use it ?

I will add more ways to use this tool but right now there is a cli that you can run with:

$ pipenv run python -m cli --db=$DB_CONN_STR --help

Depending on the type of database you use, you might need additional dependencies. You can read more about the connection string format, available backends and additional dependencies at https://docs.sqlalchemy.org/en/13/core/engines.html.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sharedvault-2020.9.6.tar.gz (5.4 kB view details)

Uploaded Source

Built Distribution

sharedvault-2020.9.6-py3-none-any.whl (5.0 kB view details)

Uploaded Python 3

File details

Details for the file sharedvault-2020.9.6.tar.gz.

File metadata

  • Download URL: sharedvault-2020.9.6.tar.gz
  • Upload date:
  • Size: 5.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/49.2.0 requests-toolbelt/0.9.1 tqdm/4.48.2 CPython/3.8.3

File hashes

Hashes for sharedvault-2020.9.6.tar.gz
Algorithm Hash digest
SHA256 d7f75a7236117908df69b02c9654d3d17295b7483647ff51702a1b0c40ad5efc
MD5 77140d1cb54e76fa66064891637b7c80
BLAKE2b-256 de5928f3d07bc50a914fac85bb96f99d62a109b022e18d87267cfb00e194bc4d

See more details on using hashes here.

File details

Details for the file sharedvault-2020.9.6-py3-none-any.whl.

File metadata

  • Download URL: sharedvault-2020.9.6-py3-none-any.whl
  • Upload date:
  • Size: 5.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.2.0 pkginfo/1.5.0.1 requests/2.24.0 setuptools/49.2.0 requests-toolbelt/0.9.1 tqdm/4.48.2 CPython/3.8.3

File hashes

Hashes for sharedvault-2020.9.6-py3-none-any.whl
Algorithm Hash digest
SHA256 e8799c2724141f71f2e7a76f22f3c2c45dc66157b6114118100456a6cfae0dde
MD5 56025e2250d4f63abe0f5ff73e9a7fa7
BLAKE2b-256 2777b3018b9a41c7fa453eade41cbf287d396bd190ae8c3d5f7efddad86cbcfa

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page