Skip to content

RajeshRk18/DeVault

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

What is DeVault?

Devault is a secret manager that securely encrypts your secrets and stores it. DeVault is a drop-in replacement for BitWarden, Keeper, and similar which stores your data in centralized servers. There have been many instances[1,2] where people's sensitive data stored in cloud are exposed breaking freedom, trust, and privacy of people.

As DeVault is built on top of Phala Network which uses TEEs for state transitions, no data is revealed once you store your secrets. Actually, your secrets are not stored anywhere, they are just derived on the go. Only encryption keys are stored. That too is the encryption of users encryption keys.


Security

Devault uses Argon2id for deriving encryption key from master password and secrets are encrypted using ChaCha20poly1305 (will be switched to AES-256).

Argon2id is the preferred algorithm for Key Derivations. ChaCha20Poly1305 is preferred as same as AES-256 under GCM. Former is used because no well known rust dependency is available for AES-256 that does not depend on PRNG deps. Ink! contracts cannot have PRNG dependencies.


Risk

Devault uses Fast Rand crate with js and default features disabled. So, it expects us to provide seed. Initial seed is generated from block timestamp and number. Thus, it is not a cryptographic secure PRNG. As long as master password is not exposed, it is very hard to get secrets because master password is used for deriving user vault's encryption key using Argon2id.


Recommendations

Generate secure master password. Strength of internal encryption of your secrets is directly proportionate to the strength of your master password.

Unix based distributions

  • Run the command below.
tr -dc 'A-Za-z0-9!@#$%^&*?' </dev/urandom | head -c 32 > master_pass.txt
  • Open master_pass.txt and note down the password in a paper (please!!). *Look carefully for lowercase and uppercase!

  • Delete master_pass.txt! Phew..

TODO

  • Secure secret sharing
  • Tag based secret query
  • Key rotation
  • Compression before encryption
  • Frontend
  • Generate password/passphrase (will be in frontend)

About

Secure Secret Manager.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages