passcrux
PassCrux - Immortalize your master password!
If you are like me, you loathe single points of failure, especially when it comes to passwords,
and extra-especially when it comes to "master" passwords which guard things like password managers.
Some password managers have mechanisms to reset your password, however every password reset-function is an
increased attack surface. Plus, there is always the spectre of a password manager provider going under,
or getting hacked, or whatever. I wanted a way to back up my "master" passwords under my own terms.
PassCrux gets to the crux of this matter, and has only a transient resemblance to crux-sounding recovery
schemes found in some magical literature ;). It works by separating your password - or any data - into shards,
that you can do anything you want with. Just provide M
of the N
shards and you can recover the original data.
If you haven't been living in a cursed cave for the past two decades, you'll recognize this as
Shamir's Secret Sharing algorithm, which is indeed
at the heart of this tool. It's basically a lightweight wrapper around SSS, with built-in helpers and formatters
for storing the shards in human-readable format.
Testimonials
Heck, that sounds so fun! I can't wait to lose my master password!
-- aeksco
That's a good way to setup a quest for someone 1000 years in the future. Put a few of those in temples guarded by
bosses, and you've got yourself a solid adventure.
-- erotemic
Usage
To split a password from a prompt, into 5 shards with 3 needed to reconstruct, enter
passcrux split --ratio 3/5 --prompt
Out:
a38f786f19680cb3
c4f5a36d797e336d
38519b5d42021620
f3ab8d463e182893
e4ea839978cc8eae
Now, distribute your shards. In this case, we are just going to dump them into a file for this demo.
Copy (at least) 3 of the 5 output shards and paste into a file, shards.txt
, one shard string per line.
shards.txt
a38f786f19680cb3
38519b5d42021620
e4ea839978cc8eae
Then run this command to print the secret:
cat shards.txt | passcrux combine
What to do with shards?
That's entirely up to you! Get creative with it! Here are some ideas to get your ideas churning:
- Stamp them into metal. Hide them in various places. Make a good ol' fashioned pirate map 🏴☠️
- Use
--enc abc
and mark the letters in your favorite books 📚
- Convert hexadecimal values into notes and make some sweet guitar riffs 🎸
- Give a copy to
M
trusted friends with instructions to delete your browser history 🗑️
Building/Installation
Turbo-instant docker usage:
docker run --rm -it xkortex/passcrux [OPTIONS]
Note: -it
is required for -p/--prompt
(interactive password prompt) and -v
for any file-I/O.
Conventional:
Requires a typical golang environment. Simply run make
to compile passcrux
to $GOPATH/bin/passcrux
todo
- main IO commands
- primary encode formats: hex, base32, base64
- "abc" encoding
- Stabilize pipe-in interface and flags
- validate/ensure correct behavior with DOS-style carriage returns
\r and \r\n
- test on windows
- Travis / CI hooks
- Dockerfile
- standardize output formatter interface
- goexpect for testing interactive password prompt
- config parsing
- handling for raw bytes I/O
Stretch goals:
License
PassCrux is licensed under Mozilla Public License v2.0 [FAQ]. Use it to your heart's content. ¯\_(ツ)_/¯
The current implementation relies on SSS from Hashicorp Vault, also MPL2. PassCrux uses SSS wholesale without any modification.
Cobra is licensed Apache, Copyright (c) 2015 Steve Francia spf@spf13.com
Viper is licensed MIT, Copyright (c) 2014 Steve Francia
IANAL and I think I am doing this correctly, but if something is in error, please open an Issue or PR to help rectify. Go makes it astoundingly easy to go get
code and use it in your project, and if you ask me, if you are advertising your code as go-gettable on Github, your intent is to share, but it's not my call, so please clarify if I am in the wrong.
Thanks!