Skip to content
Slack command to manage shared passwords between the members of a channel in Slack.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Password Scale

Build Status

Is a Slack command to manage shared passwords between the members of a channel in Slack.

This project was build focused in establishing a communication where the trustness between parties is not required, using the asymmetric algorithm RSA to share encrypted information point to point and where the only participant allowed to read the stored passwords is the Password Server, who is different and independent for each client.


  • /pass or /pass list list the available passwords in the channel.
  • /pass <secret> or /pass show <secret> retrieve a one time use link with the secret content, this link expires in 15 minutes.
  • /pass insert <secret> retrieve a link with an editor to create a secret, this link expires in 15 minutes.
  • /pass remove <secret> make unreachable the secret, to complete deletion in necessary doing it manually from the s3 password storage.
  • /pass register <password_server_url> this is the command used for the initial setup, it is only necessary to execute it once.


How it work?

Been Alice and Bob members of the same Slack group, they need to share the password of the service "Bar". This is the process that they need to follow to share it. In this example Alice will create the secret and Bob will consult it.

Creating a secret

  • Alice: Requests a link to create the secret (/pass insert Bar)
  • Proxy Server: Generates an unique editor link, valid for 15 minutes
  • Slack: Shows the editor link, only visible for Alice
  • Alice: Follows the link
  • Proxy Server: Requests the the public key to the Password Server and send it to the editor
  • Editor: Displays itself in Alice's browser
  • Alice: Writes the shared secret
  • Alice: Press the "Create" button
  • Editor: Encrypts the secret before sending the request
  • Editor: Sends the request to the Proxy Server
  • Proxy Server: Sends the encrypted secret to the Password Server (note that this secret is indecipherable for this server)
  • Password Server: Stores the encrypted secret in the configured S3 bucket.

Note: Editor and Proxy Server are the same server, but Editor represents the frontend view.

Retrieving a secret

  • Bob: Requests a link to see the secret (/pass Bar or /pass show Bar)
  • Proxy Server: Requests the secret to the password server using the Slack team name and channel id
  • Password server: Reads and decrypt the secret
  • Password server: Generates one time use link with the secret, valid for 15 minutes (using One-Time Secret API)
  • Password server: Encrypts the link with the Proxy Server public key
  • Password server: Sends the encrypted link to the Proxy Server
  • Proxy server: Decrypts the one time use link
  • Proxy server: Sends the link to Slack
  • Slack: Shows the link only visible for Bob
  • Bob: Follows the link
  • Onetimesecret: Shows and destroys the secret

How to deploy your own Password Server

In order to be efficient with the resource management and facilitate the deploy process this guide shows the process to put in producction a serverless infracstructure using AWS Lambda plus API Gateway using Zappa


Required accounts

Installed software

Step-by-step guide

  • Clone password-scale project git clone and do cd password-scale
  • Create a virtual environment mkvirtualenv password-scale -p python3
  • Install dependencies pip install -r requirements/storage-server.txt
  • Create zappa_settings.json file based on zappa_settings.example.json cp zappa_settings.example.json zappa_settings.json
  • Modify "s3_bucket" and "environment_variables" variables in the new zappa_settings.json file, replacing each value for your owns (for the "environment_variables" see the table below)
  • Deploy your server zappa deploy

Done! now you will need to register your server in Slack, using the command /pass register <new_server_url> to retrieve your server URL use the command zappa status and check the API Gateway URL. If you have any error using the command after configuration use zappa tail command to retrieve the server logs.

Environment variables table

Key Description
AWS_ACCESS_KEY_ID Your AWS public key, this key only needs permission to use S3
AWS_S3_REGION (optional) The AWS region where the password storage bucket will be created, the default value is us-east-1
ENCRYPTION_KEY_URL (optional) This is the url to retrieve the Proxy Server public key, , the default value is
ONETIMESECRET_KEY Your One-Time Secret API key
ONETIMESECRET_USER Your One-Time Secret user name
PASSWORD_STORAGE Unique name for your password storage bucket
BIP39 Mnemonic code for generating deterministic keys, specification:
You can’t perform that action at this time.