A secure, multi-user password management apps.
mortimer is a password storage application that supports multiple users and basic permissions. The app relies on public key cryptography to facilitate a multi-user password system whose data remains secure even if the database is compromised.
Admin users have permission to all password entries on the system. Users may be given permission on a password-group basis.
mortimer uses asymmetric encryption on the user level. It works like so:
Imagine that we need to store a shared password, such as the password to a web application admin.
We want to grant our hypothetical user, Tom, access to that password, so we add him to the system.
A unique public and private key will be generated for Tom. Tom's public key is used to encrypt any password for which he is granted access. Tom's private key is stored, symetrically encrypted using his login password.
(Note that this does not mean that Tom's login password is stored in plain-text; rather, when Tom logs in, the plain-text password he enters is symetrically encrypted using an application-specific key and is stored in Tom's cookie-stored session, which is also encrypted. A stricter security scheme would require Tom to enter his password every time he needed to view a stored password; however, it seems sufficently secure to store the password doubly-encrypted in a session cookie that is cleared once the user logs out.)
When we give Tom access to the e-commerce admin, Tom's public key is used to generate a uniquely-encrypted version of the password, just for Tom.
When Tom goes to view the password, the system decrypts Tom's private key using his login password. The decrypted private key can then be used to decrypt Tom's version of the e-commerce admin password.
So, if ten users have access to a given password, then ten uniquely-encrypted copies of that password are stored on the system. One of the main benefits of this method is that, if the password changes, the password can be easily re-encrypted for each user, using each user's public key. This means that it's easy for changes in password entries to be reflected for each user while maintaining completely siloed user password storage.
Before deploying mortimer to production, install it locally, and run it in development mode.
Security configuration exists in:
config/environment.rb (session key/secret) config/initializers/security.rb config/initializers/site_keys.rb
Be sure to configure these to your liking. It is especially important to add unique site keys for the encryption of user passwords. This can be done automatically with:
After migrating the database, run:
The setup program will create a root user and an initial admin user. The root user is a kind of back door; while you never log in as root, the root user will have access to every password on the system.
The setup task will write the root user's private key to a file called “root_key.rsa” in the app's top-level folder. YOU MUST REMOVE THIS FILE AND STORE IT IN A SAFE PLACE. Should you ever be locked out of the system, the root key will allow you to decrypt any password in the database.
Start a web server, and log in as the admin user. You can now add users and passwords. Users can be made into admins, which basically gives them free reign (not recommended); non-admin users may be granted read or write access to any password group.
IMPORTANT: Since private keys are encrypted using user passwords, it's important to choose good passwords. The system is essentially only as strong as its user passwords. By default, the app requires passwords of at least eight characters, with at least one of these being an upper-case letter, and at least two non-word/number characters.
To recover all passwords and write them to a file, run the following:
This rake task will write all passwords RAILS_ROOT/passwords.txt. The rake task will run only if the root key is present in the root folder; hence, again, the importance of storing the root key in a safe place.
This app is fairly well-documented. To view the RDoc, run
and check the doc folder.
mortimer logs all security exceptions to the main log file.
more production.log | grep 'Security'
In a production situation, this app must be run over SSL.
mortimer shouldn't be exposed to the Internet. We use it on an internal network only.
Admin users should be kept to a minimum; passwords for admin users should be as strong as possible.
This should be considered an alpha release; there will be bugs.
We welcome any improvements to mortimer, particularly security patches.
mortimer features a fairly comprehensive test suite using Shoulda. To run the tests:
mortimer is licensed under a modified MIT licence. See LICENCE.txt.
mortimer was written by Kyle Banker, based on a idea by Bart Grantham and guided by Alex Schmelkin and Joshua Rusch.
Copyright 2009 Alexander Interactive, Inc.