donjon 0.0.2 → 0.0.3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +99 -5
- data/lib/donjon/commands/user.rb +8 -1
- data/lib/donjon/version.rb +1 -1
- metadata +1 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a183f49f2e60ad2ed9aaa0257580a4c7b094cf05
|
|
4
|
+
data.tar.gz: 1bf7b4ae1bd9907f553d1736c4e4eece9349d938
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c5484887af5dca5d4f1ca498d858253ed91a57a11d222d2aa4fad8bd65771d49f44e171e2c28c30abb24dbe836c011a83e2a55d362b4e07be3f898efb30b1afb
|
|
7
|
+
data.tar.gz: 0a3a7f7da362f258fa54e6ba81af5030d3b1aa7c7d3351e78937c36fd20f9e33915de5dade5d4688fc6f49157bfa1bbbbcf65275d294a701d4b98f9cf72cd58a
|
data/README.md
CHANGED
|
@@ -1,16 +1,109 @@
|
|
|
1
1
|
# Donjon
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
Donjon is a secure, multi-user store for key-value pairs.
|
|
4
|
+
|
|
5
|
+
Skip to: [Purpose](#purpose) | [Concepts](#concepts) | [Setting
|
|
6
|
+
up](#installation) | [Usage](#usage)
|
|
7
|
+
|
|
8
|
+
## Purpose
|
|
9
|
+
|
|
10
|
+
We built Donjon to share credentials in a (small) devops team, for services where
|
|
11
|
+
single user accounts don't make sense, e.g.:
|
|
12
|
+
|
|
13
|
+
- root passwords for databases and servers
|
|
14
|
+
- root credentials for hosting accounts
|
|
15
|
+
- accounts for web services that don't do multi-user/multi-admin
|
|
16
|
+
- Two-factor tokens for single-user web services.
|
|
17
|
+
|
|
18
|
+
Donjon uses standards for encryption: 2048-bit asymmetric RSA encryption used to
|
|
19
|
+
prime symmetric 256-bit AES CBC encryption with random padding.
|
|
20
|
+
In other words, while the NSA will probably be able to read your data should it
|
|
21
|
+
get its paws on it, it's unlikely Joe Hacker will.
|
|
22
|
+
|
|
23
|
+
[Online tools](https://lastpass.com) exist that serve the same purpose as Donjon, but simply
|
|
24
|
+
put: they're generally closed source and host the data somewhere we don't
|
|
25
|
+
control. We think the inconvenience of not having a cute toolbar icon for
|
|
26
|
+
passwords is trumped by better security.
|
|
27
|
+
|
|
28
|
+
## Concepts
|
|
29
|
+
|
|
30
|
+
A **vault** is a directory managed by Donjon. It contains encrypted key-value
|
|
31
|
+
pairs, and public keys for all allowed users. Each key-value pair lives in its
|
|
32
|
+
own directory. The name of the directory is an obfuscated (hashed) version of
|
|
33
|
+
the key, but it's not encrypted. The directory contains one file per user, each
|
|
34
|
+
containing the key-value pair encrypted with their public key.
|
|
35
|
+
|
|
36
|
+
**Syncing** the vault between users is left as an exercice to users or
|
|
37
|
+
integrators :)
|
|
38
|
+
One option is to use a shared drive (e.g. using a cloud server and
|
|
39
|
+
[SSHFS](http://en.wikipedia.org/wiki/SSHFS)). We prefer to sync the vault
|
|
40
|
+
directory using [Bittorrent Sync](http://www.bittorrent.com/sync) rather than
|
|
41
|
+
leave a copy of it with third parties. Another option is to use Git as a
|
|
42
|
+
distribution mechanism.
|
|
43
|
+
|
|
4
44
|
|
|
5
45
|
## Installation
|
|
6
46
|
|
|
7
|
-
|
|
47
|
+
The setup is slightly different different for new vaults (first subsection below)
|
|
48
|
+
and connecting to an existing vault (second subsection).
|
|
49
|
+
|
|
50
|
+
This section assumes the vault is synced between users using Bittorrent Sync.
|
|
51
|
+
|
|
52
|
+
|
|
53
|
+
### Creating a new vault
|
|
54
|
+
|
|
55
|
+
Install Donjon:
|
|
56
|
+
|
|
57
|
+
$ gem install donjon
|
|
58
|
+
|
|
59
|
+
Run the Donjon configuration:
|
|
60
|
+
|
|
61
|
+
$ dj init
|
|
62
|
+
|
|
63
|
+
Note that while you can re-use an existing private key for Donjon, it must be
|
|
64
|
+
encrypted and be a 2048-bit RSA key.
|
|
65
|
+
|
|
66
|
+
Add, then read a first key-value pair to confirm encryption is working:
|
|
67
|
+
|
|
68
|
+
$ dj config:set TEST=foobar
|
|
69
|
+
$ dj config:get TEST
|
|
70
|
+
TEST: foobar
|
|
71
|
+
|
|
72
|
+
Download, install, and run [Bittorrent Sync](http://www.bittorrent.com/sync/downloads).
|
|
73
|
+
|
|
74
|
+
Add the vault directory you configured during `dj init` to be synced by
|
|
75
|
+
Bittorrent Sync.
|
|
76
|
+
|
|
77
|
+
|
|
78
|
+
### Connecting to an existing vault
|
|
79
|
+
|
|
80
|
+
Download and install [Bittorrent Sync](http://www.bittorrent.com/sync/downloads).
|
|
81
|
+
|
|
82
|
+
Ask a peer already using the vault you're interested in to provide you a "one
|
|
83
|
+
time secret" for the shared vault directory. Add this to Bittorrent Sync, and
|
|
84
|
+
wait for syncing to complete.
|
|
85
|
+
|
|
86
|
+
Install Donjon:
|
|
8
87
|
|
|
9
88
|
$ gem install donjon
|
|
10
89
|
|
|
11
|
-
|
|
90
|
+
Configure Donjon; when prompted for a vault path, enter the path to the relevant
|
|
91
|
+
synced directory:
|
|
92
|
+
|
|
93
|
+
$ dj init
|
|
94
|
+
|
|
95
|
+
At this point your public key has been added to the vault, but you can't access
|
|
96
|
+
any data as it hasn't been encrypted for you. Obtain your public key:
|
|
97
|
+
|
|
98
|
+
$ dj user:key
|
|
99
|
+
|
|
100
|
+
and send it over a reasonably secure medium to your peer. They will then run
|
|
101
|
+
|
|
102
|
+
$ dj user:add <your-username>
|
|
103
|
+
|
|
104
|
+
to encrypt all key-value pairs for your user.
|
|
12
105
|
|
|
13
|
-
|
|
106
|
+
Test that you can read a particular key, and you're all set!
|
|
14
107
|
|
|
15
108
|
|
|
16
109
|
## Usage
|
|
@@ -26,11 +119,12 @@ Commands:
|
|
|
26
119
|
dj help [COMMAND] # Describe available commands or one specific command
|
|
27
120
|
dj init # Creates a new vault, or connects to an existing vault.
|
|
28
121
|
dj user:add NAME [PATH] # Adds user and their public key to the vault. Reads from standard input if no path is given.
|
|
122
|
+
dj user:key # Prints your public key
|
|
29
123
|
```
|
|
30
124
|
|
|
31
125
|
## Contributing
|
|
32
126
|
|
|
33
|
-
1. Fork it ( http://github.com
|
|
127
|
+
1. Fork it ( http://github.com/mezis/donjon/fork )
|
|
34
128
|
2. Create your feature branch (`git checkout -b my-new-feature`)
|
|
35
129
|
3. Commit your changes (`git commit -am 'Add some feature'`)
|
|
36
130
|
4. Push to the branch (`git push origin my-new-feature`)
|
data/lib/donjon/commands/user.rb
CHANGED
|
@@ -7,6 +7,9 @@ module Donjon
|
|
|
7
7
|
desc 'user:add NAME [PATH]', 'Adds user and their public key to the vault. Reads from standard input if no path is given.'
|
|
8
8
|
decl 'user:add'
|
|
9
9
|
|
|
10
|
+
desc 'user:key', 'Prints your public key'
|
|
11
|
+
decl 'user:key'
|
|
12
|
+
|
|
10
13
|
private
|
|
11
14
|
|
|
12
15
|
def user_add(name, path = nil)
|
|
@@ -21,7 +24,7 @@ module Donjon
|
|
|
21
24
|
key_data << line
|
|
22
25
|
end
|
|
23
26
|
else
|
|
24
|
-
key_data = Pathname.new(
|
|
27
|
+
key_data = Pathname.new(path).expand_path.read
|
|
25
28
|
end
|
|
26
29
|
|
|
27
30
|
key = OpenSSL::PKey::RSA.new(key_data, '').public_key
|
|
@@ -31,6 +34,10 @@ module Donjon
|
|
|
31
34
|
database.update
|
|
32
35
|
say "Success! #{name} has been added to the vault.", [:green, :bold]
|
|
33
36
|
end
|
|
37
|
+
|
|
38
|
+
def user_key
|
|
39
|
+
puts actor.key.public_key.to_pem
|
|
40
|
+
end
|
|
34
41
|
end
|
|
35
42
|
end
|
|
36
43
|
end
|
data/lib/donjon/version.rb
CHANGED