Password Store

by Hana Burtin

This is a project I’ve been thinking about for a while now. I’ve been using KeePass 2 for quite long as my password manager. And It works great, but with all the services I’m hosting, event with creating a Radius Server (more on this later, I’m still learning how to setup my LDAP server correctly before setting up the radius server), I’ll still need to store many roots passwords for my servers. And keeping everything synchronized together is really starting to be a pain.

Don’t get me wrong, for very long, I stored my KeePass file using Google Drive, but I want to move out of Google Personal Services, and this KeePass file is my last step. But it comes also with new constraints making a simple cloud storage won’t be a good solution for me anymore.

I’ve tested quite a few password manager, and none gave me the freedom I get from KeePass. Many provides new features I need, such as team sharing, but often at the cost of one crucial feature I need such as being able to use it on linux, or even use it outside of any web browser.

So here I am, I have a need, mostly covered by one existing opensource application with a single small point of frustration.

If it matters to you, just make it happen.

This was a saying we used a lot in some association I worked in.

Let’s follow this motto and take care of the issue.

My needs

  • I need to store my passwords
  • Have them associated with the website url
  • Use the same tool on linux/windows/android
  • Interface it with firefox
  • Group the passwords and share some with other persons (for instance my wife)
  • Have a single authentication point (no close a file, open another one)
  • Have everything stored on the cloud and seamlessly synced across all devices
  • Have everything REALLY secured (No one big file with everything)
  • Being able to perform automatic password rotation.
  • The whole thing must be the cheapest possible
  • Be easy to create/maintain
  • I don’t want to be tightly coupled to any external service
  • Storing an offline cache

Let’s cut this into small packages:

So I have 5 packages to create:

  1. Password storage:
    • This is the driver that will handle password storage.
    • And provide a standard unified way for reading/writing
  2. Authentication:
    • This will be our bouncer, the package will allow or deny access to a password
  3. User space Application:
    • This is the core, what KeePass is currently doing
    • This application gives the end user access to read/write the passwords
  4. Password Rotation:
    • There is a reason why I put this here, it’s pretty close to our user space application
    • The only difference is that is will be called in the cloud
    • Most likely I will want it to access the storage the the same way as the user application, the difference will be the way it authenticate
  5. Web browser/Other applications:
    • Well by staying really close to KeyPass interfaces, this should be little to no work at all.

Storage Package:

This is really less straight forward as it might seem:

I see 3 way to store it:

  • Using NoSQL service like dynamo to store the credentials sets:
    • Fast
    • Easy management of concurrent I/O
    • I can encrypt credentials set with groups attached keys
    • I can use a sort key for the url
    • Except that password url are regular expression
  • Using SQL database:
    • That’s slower, but I can search by regular expression
    • Concurrent I/O can still be handled there as there isn’t a big throughput
    • But there is a minimal cost, that will most likely always be higher that NoSQL at my scale
  • Using Bucket Storage/File System:
    • That’s pretty fast
    • I can encrypt the credentials and use metadata to limit user access
    • I can store multiple credentials into file and user KeePass to look for URL matching

So I’ll got for S3 storage, that’s not ideal especially because I’ll need to keep multiple files open for credentials lookup, but that’s the path that present the less overhead.

Here is a quick diagram of how I foresee the storage:

The application will use and identity broker to generate credentials that will be able to directly read some file from any bucket storage.

The files are store, strongly encrypted with individual keys unique at the Security Group level.

When the client retrieve the files, they will be encrypted using the client public key to be decrypted by the client when required.

This means, that the client will have to authenticate, get object, put object, update public key and list accessible keys.

How to implement?

The application will provide the authentication protocol and the access protocol as plugins, this was I achieve decoupling, whenever I need to change the storage I will only have to change the storage plugin, and same for authenticate.

That’s super interesting for me, as this should allows me to rely on my Radius server when home to remove any end user “work”. And outside, I can an authentication that will require password and 2FA.

For my specific current implementation: I’ll use S3 to store the data with KMS Keys. Store the public keys using S3 as well and perform the re-encryption using S3 Lambda Object this way I will have to create a single lambda, and deploy minimal services. I can take advantage of versioning for backups and roll back. For files that small the storage is basically free and so is the compute for re-encryption (we are speaking of less that 1$).

The cost will mostly lay in the encryption with 1$/file.

0 Replies to “Password Store”

Leave a Reply

Your email address will not be published. Required fields are marked *