A zero-knowledge server to store and share secrets: credentials, keys, etc.
Please read (preferably in a browser): Goals, Security, FAQ
git clone https://github.com/Fusion/crystalvault.git
work-directory/{data/auth, data/keys/, data/logs}
work-directory/data/data
work-directory/data/data
-- ensure it is writablehttp://your-server:3000
or through a load balancerNote that, for backup and file history reasons, the docker version of this vault insists on storing its data on Dropbox. Keep in mind that it is encrypted data so you are getting the best of both worlds.
In an enterprise environment, you may be behind a firewall.
In that case, provide at least a HTTPS_PROXY
environment variable.
Port 3000 is exposed, as well as the /dbox/Dropbox folder.
To complete linking to Dropbox, check the content of /var/log/dropbox. For instance:
docker run -d restart=always name tvault cyansmoker/crystalvault
docker exec -it tvault tail -f /var/log/dropbox
After a while, you should see this line:
Please visit https://www.dropbox.com/cli_link_nonce?nonce= to link this device.
Follow that link, authorize the container and after a few seconds Dropbox should start synchronizing.
Note that the container will wait for Dropbox to be properly mounted before starting the vault itself.
You will then be able to browse the vault at http://container-ip:3000 (or whatever load balancer you are using, if any)
Users will be identified using their chosen email address.
Each user's public PGP key must be stored on the server. Specifically, in:
work-directory/data/keys/user-s-email-address
Additionally, each user needs to pick a password. The sole purpose of that password is to force users to authenticate before they are allowed to delete files(!)
Instruct new users to visit http://your-server:3000/newuser.json/user-s-email-address/user-s-password
and send the resulting output to you. You know what to do next!
Whenever a user visits http://your-server:3000
they should click on 'Passphrase'
and enter: user-s-email-address
, user-s-password
and their secret PGP pass phrase.
Please visit Goals, Security, FAQ to learn more about the security measures taken to protect the pass phrase.
If they have not done so yet, they should then click the key icon and drag/drop a file containing their private PGP key.
This key will be securely encrypted and never leave their browser. Again, have a look at Goals, Security, FAQ for more information.