sharedvault

Release 2020.9.6

SharedVault is a small application that allows you to define a secret that will require multiple people to unlock.

Homepage PyPI Python

License
Unlicense
Install
pip install sharedvault==2020.9.6

Documentation

SharedVault

SharedVault is a small application that allows you to define a secret that will require multiple people to unlock.

How does it work ?

At the core, SharedVault uses Shamir's Secret Sharing algorythm (some code is directly copied from the wikipedia page). This allows us to define a key(M, N) and N parts where the key can be recovered from M parts. On top of that we add a layer where each user has a public/private key that encrypts the shares they hold. This allows the following features:

  • A user change chose and change their password.
  • A user has a single password to remember (instead of one per share).
  • We can grant users access without having to communicate the share over untrusted network.

Security consideration

Private keys

Private keys are stored in the main database and encrypted with the user's password. A weak/leaked password will compromise the private key and therefore all the shares it can decrypt.

Secret encryption

The secret itself is encrypted using the Fernet algorithm. The key is derived with Scrypt from the secret number generated by Shamir's Secret Sharing algorithm. Note that I have no idea what I am doing so it is likely that there is a flaw related to the scrypt configuration that could compromise a secret's safety.

Revoking access

Everytime a secret is updated we generate a brand new set of keys for the new encryption. This allows us to deny future access to a user that has their key removed from the secret.

Deletion

SharedVault uses the database you provide, therefore it is impossible for us to protect against deletion since the database itself could be deleted.

Past password/keys

For the same reason, we cannot enforce that previous version of the database have been permanently deleted. This means that if an old password or key leaks, and the past database is available, then that key is compromized.

How to use it ?

I will add more ways to use this tool but right now there is a cli that you can run with:

$ pipenv run python -m cli --db=$DB_CONN_STR --help

Depending on the type of database you use, you might need additional dependencies. You can read more about the connection string format, available backends and additional dependencies at https://docs.sqlalchemy.org/en/13/core/engines.html.

Stats

Dependencies
5
Dependent packages
0
Dependent repositories
0
Total releases
2
Latest release
First release
Stars
13
Forks
0
Watchers
2
Contributors
1
Repository size
53.7 KB
SourceRank
8

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

2020.9.6
1.0

Contributors

Dorian JAMINAIS


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-21 17:35:18 UTC

Login to resync this project