Password Manager🚧

TLDR

Developing a local password manager in Go with SQLite. It secures stored passwords using AES-GCM authenticated encryption with unique nonces, and relies on a master password, hashed with Argon2 and a salt, which is also used with a KDF salt to derive the encryption key. All salts and nonces are stored in plain text alongside the encrypted data in the database.

Implementation

• Passwords all stored in a sqlite file on the users machine
• All passwords, place names, and user names are encrypted using the users password, a secret pepper based on the users password, and a salt
• The tui allows users to add new passwords, delete passwords, and edit passwords
• Security is setup so that only the cli can edit the sqlite file
• logs are all stored in a log file outputted to the same location as the

Encryption/Decryption

• Hashed master password is stored as a Argon2 hash of the plain text password + a salt generated by a pseudo-random number generator
• When logging into the site the entered password is checked vs the stored master password
• Encryption of all other credentials entered into the database are done by a key which is an output of the plain text password being entered into the HKDF function
• Passing the key into AES-256 + a nonce generated by a pseudo-random number generator will encrypt the credentials as they are stored in the database
• The reverse decryption can be done by the key (output of HKDF) and the salt stored with the encrypted credentials

Links

• Password Manager Repo: Github