Skip to content

Hardware-based password/SSH key/secret manager for people serious about security

License

Notifications You must be signed in to change notification settings

function61/passitron

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Build status Download

What is this?

Software for a separate trusted hardware device ("hardware security module") which essentially acts just like Keepass and only serves the function of storing secrets.

If you use Keepass on your PC and your PC gets compromised by a virus or a hacker, it's game over. But if you use a separate device for storing secrets, your PC compromise does not expose your secrets. This software only exposes your secret when you physically press a button on the device - and only exposes one secret per push acknowledge.

Links

Features

  • No cloud
  • Physical acknowledgement to expose a password by pressing a button on a U2F key (YubiKey for example), so a hacker would need local, physical, access to steal your secrets.
  • Supported secrets:
    • Passwords
    • OTP tokens (Google Authenticator)
    • SSH keys (via SSH agent protocol)
    • Keylists ("printed OTP list")
    • Freetext (any text content is treated as secret data)
  • Create, view and list secrets in a folder hierarchy.
  • Export database to Keepass format (for viewing in mobile devices when traveling etc.)
  • Import data from Keepass format

Recommended hardware

I'm using Raspberry Zero W with wooden case.

It doesn't matter much which hardware you use, as long as you don't run anything else on that system - to minimize the attack surface. For such a light use Raspberry Pi is economical, although this project runs across processor architectures and operating systems because Golang is so awesome. :)

Download & running

Click the "Download" badge at top of this readme and locate the binary for your OS/arch combo:

  • For Raspberry Pi, download pism_linux-arm
  • For Linux PC, download pism_linux-amd64

Note: don't worry about public.tar.gz - it's downloaded automatically if it doesn't exist.

Rename the downloaded binary to pism.

Pro-tip: you can download this directly to your Pi from command line:

$ mkdir passitron/
$ cd passitron
$ curl --fail --location -o pism <url to pism_linux-arm from Bintray>

# mark the binary as executable
$ chmod +x pism

Installation & running:

$ ./pism server init-config admin yourpassword
$ ./pism server install
Wrote unit file to /etc/systemd/system/passitron.service
Run to enable on boot & to start now:
        $ systemctl enable passitron
        $ systemctl start passitron
        $ systemctl status passitron

Looks good. You should now be able to access the web interface at http://<ip of your pi>.

How to build & develop

How to build & develop (with Turbo Bob, our build tool). It's easy and simple!

Getting to know the codebase

See commit where I added support to storing an email field.