StrongBox encrypts passwords before storing them on the given database. It uses Fernet module (a Python implementation of symmetric authenticated cryptography) to achieve this.
def generate_key(password: str, salt: bytes) -> bytes:
kdf = PBKDF2HMAC(
algorithm=hashes.SHA256(),
length=32,
salt=salt,
iterations=390000,
)
key = base64.urlsafe_b64encode(kdf.derive(bytes(password, "utf-8")))
return keyFunction extracted from encryption.py file.
All passwords are stored in vaults. Each vault has a vault_id, a vault_salt and a hashed_vault_password.
The hashed_vault_password is the vault_password hashed, which is a string given by the user which, combined with the vault_salt, is used for encrypting and decrypting the password in a vault.
def generate_hash(vault_password: str) -> str:
return sha256(vault_password.encode()).hexdigest()- vault_password should be a long string of characters (ideally random)
- Two vaults cannot have the same vault_password
When you enter a vault_password, StrongBox hashes it and compares it with all vaults hashed_vault_password.
If it matches any then it access to that vault, and uses the vault_password (salted) to decrypt all passwords stored in that vault and to encrypt all new passwords stored.
If it does not find any matches StrongBox will ask if the user wants to create a new vault with that vault_password. If the user accepts, a random vault_salt and vault_id is generated and stored, beside the hashed_vault_password.