pi-security-module

module

v0.0.0-...-5dc20d2 Latest Latest Go to latest Published: Feb 20, 2019 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/function61/pi-security-module

Links

README ¶

What is this?

Software for a separate trusted hardware device ("hardware security module") which essentially acts just like Keepass and only serves the function of storing secrets.

If you use Keepass on your PC and your PC gets compromised by a virus or a hacker, it's game over. But if you use a separate device for storing secrets, your PC compromise does not expose your secrets. This software only exposes your secret when you physically press a button on the device - and only exposes one secret per push acknowledge.

Links

Architecture summary
Comparison to alternatives
All documentation - everything you seek is probably here. The above links were just some of the most important links to this documentation site.

Features

No cloud
Physical acknowledgement to expose a password by pressing a button on a U2F key (YubiKey for example), so a hacker would need local, physical, access to steal your secrets.
Supported secrets:
- Passwords
- OTP tokens (Google Authenticator)
- SSH keys (via SSH agent protocol)
- Keylists ("printed OTP list")
- Freetext (any text content is treated as secret data)
Create, view and list secrets in a folder hierarchy.
Export database to Keepass format (for viewing in mobile devices when traveling etc.)
Import data from Keepass format

Recommended hardware

I'm using Raspberry Zero W with wooden case.

It doesn't matter much which hardware you use, as long as you don't run anything else on that system - to minimize the attack surface. For such a light use Raspberry Pi is economical, although this project runs across processor architectures and operating systems because Golang is so awesome. :)

Download & running

Click the "Download" badge at top of this readme and locate the binary for your OS/arch combo:

For Raspberry Pi, download pism_linux-arm
For Linux PC, download pism_linux-amd64

Note: don't worry about public.tar.gz - it's downloaded automatically if it doesn't exist.

Rename the downloaded binary to pism.

Pro-tip: you can download this directly to your Pi from command line:

$ mkdir pi-security-module/
$ cd pi-security-module
$ curl --fail --location -o pism <url to pism_linux-arm from Bintray>

# mark the binary as executable
$ chmod +x pism

Installation & running:

$ ./pism server init-config admin yourpassword
$ ./pism server install
Wrote unit file to /etc/systemd/system/pi-security-module.service
Run to enable on boot & to start now:
        $ systemctl enable pi-security-module
        $ systemctl start pi-security-module
        $ systemctl status pi-security-module

Looks good. You should now be able to access the web interface at http://<ip of your pi>.

How to build & develop

How to build & develop (with Turbo Bob, our build tool). It's easy and simple!

Directories ¶

Path	Synopsis
bin
cmd
pism
pkg
commands
crypto
extractpublicfiles
f61ui
httpserver
httpserver/muxregistrator
httputil
keepassexport
keepassimport
restcommandapi
restqueryapi
signingapi
sshagent
state
tarextract
u2futil

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL