PassWare - Hardware password manager for Raspberry Pi Zero
This is a password manager designed for the Raspberry Pi Zero v1.3. It makes use of the hardware random number generator to seed crypto functions when needed, and relies on a PSP joystick for user input.
PassWare was inspired by HardPass, the original hardware password management initiative for Raspberry Pi Zero. This one would never have been possible without all the research girst, its author, made. He truly deserves support for his work.
However, in my humble opinion HardPass suffers from a few drawbacks:
- It was made with internet synchronization in mind. I prefer my password manager to stay disconnected.
- It uses "pass", a *nix password manager based on GPG encryption. This algorithm, however secure and powerful, is bit difficult to use inside other applications because it was never meant to quit the core GPG program. This makes potential ports more difficult.
- Moreover, a public-key cryptographic algorithm is not really useful for the disconnected password manager I want.
- The "button matrix" is probably not really handy given the refresh rate of the i2c oled screen
- If the device is meant to be portable and has a nice oled display, storing the passwords separately for better management isn't needed.
All those reasons made me start my own hardware password manager. It clearly can't boast being as good as HardPass, and was never meant to be so. I just wanted to give it a try, and put the whole thing into public domain, as usual.
All the code compiled into the passware executable is in public domain, including the third-party crypto primitives, provided by the extraordinary "cifra" project (PBKDF2-SHA256 and AES256-EAX).
However, PassWare also requires the WiringPi library to function, which is licensed under GPL. For that reason, I suggest not to try to statically link WiringPi to PassWare when sharing it.
Please note I am not a security expert, and can't guarantee the security of PassWare. Use at your own risk, and use wisely. PassWare makes the assumption that anyone who can access your device multiple times without you noticing will break its security anyway. Passware is meant to protect you if your password database was stolen, because you can make backups. If the NSA or anyone specifically wants your passwords, they will tamper with your hardware or the raspbian system, and easily get your master passphrase. This assumption is also the reason why I didn't bother using a secure anti-swap system. If someone can read your SD card, they can replace the base program, and reverse this security.
Learn how to put a PassWare device together with the online guide.