Devault is a secret manager that securely encrypts your secrets and stores it. DeVault is a drop-in replacement for BitWarden, Keeper, and similar which stores your data in centralized servers. There have been many instances[1,2] where people's sensitive data stored in cloud are exposed breaking freedom, trust, and privacy of people.
As DeVault is built on top of Phala Network which uses TEEs for state transitions, no data is revealed once you store your secrets. Actually, your secrets are not stored anywhere, they are just derived on the go. Only encryption keys are stored. That too is the encryption of users encryption keys.
Devault uses Argon2id for deriving encryption key from master password and secrets are encrypted using ChaCha20poly1305 (will be switched to AES-256).
Argon2id is the preferred algorithm for Key Derivations. ChaCha20Poly1305 is preferred as same as AES-256 under GCM. Former is used because no well known rust dependency is available for AES-256 that does not depend on PRNG deps. Ink! contracts cannot have PRNG dependencies.
Devault uses Fast Rand crate with js and default features disabled. So, it expects us to provide seed. Initial seed is generated from block timestamp and number. Thus, it is not a cryptographic secure PRNG. As long as master password is not exposed, it is very hard to get secrets because master password is used for deriving user vault's encryption key using Argon2id.
Generate secure master password. Strength of internal encryption of your secrets is directly proportionate to the strength of your master password.
- Run the command below.
tr -dc 'A-Za-z0-9!@#$%^&*?' </dev/urandom | head -c 32 > master_pass.txt-
Open
master_pass.txtand note down the password in a paper (please!!). *Look carefully for lowercase and uppercase! -
Delete
master_pass.txt! Phew..
- Secure secret sharing
- Tag based secret query
- Key rotation
- Compression before encryption
- Frontend
- Generate password/passphrase (will be in frontend)