Online secure secret storage and sharing, based on client-side encryption.
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
config Dev config without TLS Dec 1, 2018
docker Google Kubernetes Engine service Nov 30, 2018
front Small frontend fix Dec 1, 2018
nginx Nginx docker Nov 29, 2018
sql Secrets SQL Dec 1, 2018
.gitignore Initial Commit. Nov 25, 2018
.whitesource Initial WhiteSource configuration file Dec 17, 2018 Contributing Dec 1, 2018 Issue Template Dec 1, 2018
LICENSE.txt Apache 2 License Dec 1, 2018 Readme Dec 1, 2018
pom.xml Fully externalized properties. Profiles removed. Dom4j updated to 2.1.1 Nov 29, 2018


GuardedBox is an OpenSource online secret manager. It allows users to upload secrets to a centralized server and retrieve them at anytime and anywhere. It also allows users to share their secrets with other users.

Secrets are stored encrypted server-side. The encryption is perfomed client-side by javascript. It is based on RSA2048-AES256-CBC asymmetric encryption. The RSA key pair is generated from the user login credentials during the login process. The AES keys are generated randomly for each encryption.

The server knows the public key of every user. Any user can retrieve the public key of any other user and encrypt a secret for him, such that only that user will be able to decrypt it, using his own private key generated from his credentials. This is all done client-side by javascript.

The server does not receive the user password during the login process. Instead, a cryptochallenge is used. When a user wants to perform a login, the server sends him a token. The user must sign it with his RSA private key and send it back to the server. Again, this is all done client-side by javascript.

Online Service

GuardedBox is deployed online:

It is a free service for anyone!

Technical Documentation and On-Premise Deployment

GuardedBox is a Java/Spring-Boot project. See the file pom.xml and the folder src. The front-end is based on ReactJS. See the front folder. The used database is MySQL. See the sql folder.

The project is built with the following command at its root directory:

mvn clean install

A jar will be generated in the folder target. Run it with the following command:

java -jar guardedbox.jar

It requires a MySQL instance with the schema described in the file sql/guardedbox.sql. It also requires a external properties file (the in the previous command). It accepts any Spring-Boot property, included the MySQL connection URL.

Spring-Boot properties:

A example of properties files can be found at the folder config.

The project is also dockerized. The main image is built with the following command at the project root directory:

docker image build -t s3curitybug/guardedbox -f docker/guardedbox/Dockerfile .

There is also a secondary image, consisting on an Nginx used to redirect traffic from http to https. It is built with the following command:

docker image build -t s3curitybug/guardedbox-nginx -f docker/guardedbox-nginx/Dockerfile .

The Nginx configuration file is in the folder nginx.

The containers can be run locally with the following command at the project root directory:

docker-compose -f docker/docker-compose.yml up

Both images are available at Docker Hub:

They still require a MySQL instance and a properties file that may be introduced in a external volume.