psswrd-mngr v0.0.6

psswrd-mngr

Pre alpha. At the moment, nothing works as expected! Come back later = )

What is psswrd-mngr for?

psswrd-mngr is a Node.js application to manage passwords. Setting up an initial password store is done via the command line. After that, all interaction is supported via a web interface (adding new passwords, retrieving passwords, modifying passwords). Along with a password, arbitrary association text data can be stored (for example, the domain, user name, etc.). Optionally, synchronization can be turned on with a cloud service such as Drop Box.

Security

The password store is encrypted using AES 256. The key is composed of 3 pieces:

• a short (minimum 6 characters) password string
• a locally stored key file (text, several kilobytes)
• a remotely stored key file (text, several kilobytes)

To decrypt and work with the password store, the following 3 conditions must be met:

• you must provide the password string
• the local key file must be available
• you must provide the URL of the remote key file

The password and the URL will be required when you access the web interface. The location of the locally stored key file is specified in the configuration file (see below).

To use the web interface the user must authenticate using the OAuth2 protocol over an SSL connection.

Initial setup

Make sure you have Node.js and NPM available on your system. To initialize a new password store in the directory PASSWORD_STORE_DIRECTORY you would do:

$ npm install -g psswrd-mngr
$ cd PASSWORD_STORE_DIRECTORY
$ psswrd-mngr init

Follow the on-screen instructions. After the initial setup, the directory PASSWORD_STORE_DIRECTORY will contain 4 new files:

• password.store
• local.key
• remote.key
• psdm.config

You will have to take the file remote.key, and put it on some server where it can be accessible via HTTP. It is best to also have the remote key backed-up on some external media, in-case you will ever have to re-upload it again.

Sanity check

It is very important that the remote key file can be accessed by psswrd-mngr, and that it is not garbled in the process of file transfer. To test that encryption and decryption is working correctly, after you uploaded the remote key, please do the following:

$ cd PASSWORD_STORE_DIRECTORY
$ psswrd-mngr check

Also, this sanity check works in all other cases where you think that something is wrong.

Access the web interface

If you have your password store set up, you can start managing your passwords via the web interface like so:

$ cd PASSWORD_STORE_DIRECTORY
$ psswrd-mngr web

The psswrd-mngr server will be launched, and the access URL will be printed to stdout. The default URL is http://localhost:8080/.

Configuration

The file psdm.config must always be present in the PASSWORD_STORE_DIRECTORY directory for psswrd-mngr to function properly. It's contents are something similar to (note the JSON structure):

{
  "ps_file": "password.store",
  "lk_file": "local.key",
  "p": 8080
}

ps_file, and lk_file properties are relative paths to the password store file and the local key file respectively. The p property is the port on which the web interface will be started.

Synchronization

To enable synchronization of the password store, please use the web interface. You will find detailed instructions there. The synchronization happens transparently whenever the web interface process is running (i.e. when the process launched by the command psswrd-mngr web is running).

Moving the password store between systems

Once you have a password store set up, to access it from another system, there are two options.

The first option is to take the entire folder PASSWORD_STORE_DIRECTORY and copy it over to another system. Then, on the other system, you have to make sure that Node.JS and NPM are available, and then do:

$ npm install -g psswrd-mngr
$ cd WHERE_YOU_COPIED_PASSWORD_STORE
$ psswrd-mngr web

The second options is to connect your system to the Internet (or some private network), and allow your firewall to let the outside word see and communicate with whatever port the web interface is running on. Then you can access the web interface to your password store from anywhere where there is Internet connectivity (or over the private network).