DEV Community

Cover image for Q Vault: An open source secret manager
Lane Wagner
Lane Wagner

Posted on

Q Vault: An open source secret manager

Github: https://github.com/Q-Vault/qvault
Website (under construction): https:qvault.io

Q Vault is a new open source password manager built using electron, javascript, and vuejs. The goal was to create an open source password manager that:

  1. Is user friendly

  2. Secure enough to store cryptocurrency

  3. Has built-in optional cloud storage backups

  4. Can be used offline

  5. Can require a physical key for extra security (Plastic Cards with QR Code used for dual encryption)

Top comments (27)

Collapse
 
tarialfaro profile image
Tari R. Alfaro

Also, what's up with this?

I don't think that a hardcoded salt is production ready ...

Collapse
 
wagslane profile image
Lane Wagner

The salt isn't security critical in our use case because the result of the hash isn't stored.

Collapse
 
tarialfaro profile image
Tari R. Alfaro

But that's no excuse for reusing salts.

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

You might as well not use a salt.

Thread Thread
 
wagslane profile image
Lane Wagner
  1. Yes it is the perfect excuse to reuse salts because the salt is basically irrelevant.
  2. The crypto library requires a salt so we simply supply one.

Again, we hand chose these algorithms for a reason. We don't want to use a higher level library and lose control. The node/crypto implementation requires a salt so we supply one. It doesn't matter that it never changes or that it is public knowledge.

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

Oh okay, that makes sense now. I thought you were using a salt legitimately.

Thread Thread
 
wagslane profile image
Lane Wagner

Yeah, it is kinda a strange use case haha

Thread Thread
 
nathilia_pierce profile image
Nathilia Pierce • Edited

Actually, I disagree, salts are used to prevent rainbow tables/pre computed KDFs, and it's a standard that's highly recommended. You can store the salt with the database. KeePass uses a random salt.

For example, if an attacker pre computed password, and tried it on another user's machine if they're lucky their password is also password, and the database decrypts. This wouldn't happen if you used salts.

Just because the KDF isn't stored, doesn't mean you can't do rainbow tables.

Thread Thread
 
wagslane profile image
Lane Wagner

Yup, we added random salts several months back!

Thread Thread
 
nathilia_pierce profile image
Nathilia Pierce

Oh. That's great to hear! FYI, Qvault looks nice. Do you think you'll be able to do duel encryption via file(s), or physical security keys?

Thread Thread
 
wagslane profile image
Lane Wagner

Yes, that is something we are looking into. First we want to add box-level encryption though.

Thread Thread
 
nathilia_pierce profile image
Nathilia Pierce

I've tried searching, but I can't seem to find anything about box-level encryption. What do you mean?

Collapse
 
tarialfaro profile image
Tari R. Alfaro

What library/libraries does it use for cryptography?

Collapse
 
wagslane profile image
Lane Wagner

Node's crypto library

Collapse
 
tarialfaro profile image
Tari R. Alfaro • Edited

I'd avoid it. It seems really low level from reading some of your source code. Check out a Libsodium port for Node.js.

Using low-level cryptography libraries make it easy to screw up.

Thread Thread
 
wagslane profile image
Lane Wagner

Hmm? It's just hashing and ciphering. Adding an extra dependency in the middle for no reason is scarier to me.

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

Libsodium is a cryptography library that's easy to use. You should be using that instead of what you're doing.

Thread Thread
 
wagslane profile image
Lane Wagner

I disagree. I understand what I'm doing, I'm well enough versed in cryptography to prefer the actual crypto library than training wheels.

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

Libsodium isn't "training wheels". It's a production ready solution that most people should be using.

Thread Thread
 
wagslane profile image
Lane Wagner

I'm sure we COULD use it. But really its a preference thing. I want to use the SCRYPT hashing alorithm. And I want AES-256 GCM. Why not just use them directly from a trusted source?

Thread Thread
 
tarialfaro profile image
Tari R. Alfaro

Okay. It makes sense. Why do you want AES-256 in GCM mode? And why Scrypt?

Thread Thread
 
wagslane profile image
Lane Wagner

From a high level GCM is considered more secure than CBC. Especially at lower resolutions. Good link: crypto.stackexchange.com/questions...

I like scrypt for our use case because we are simply trying to make it hard to brute force access. Scrypt requires high powered computation AND memory in order to continue guessing keys.

Collapse
 
tarialfaro profile image
Tari R. Alfaro

2) It's debatable.

3) It is not the password manager's job to sync files. Let the user deal with that. Save it to a file and call it that. Stop trying to do everything. Do one thing, and do it well.

Collapse
 
wagslane profile image
Lane Wagner

2) definitely debatable. Security is a scale.

3) It just saves to a file by default. We like that it has the ability to sync to the cloud backend within the app (optionally) and handle conflicts between local and server.

Collapse
 
tarialfaro profile image
Tari R. Alfaro • Edited

I guess it's fine to have a built-in syncing feature, but it divides your attention. You should be focusing on securing the secrets, rather than syncing files and checking for conflicts.

Users could use NextCloud, DropBox, Syncthing, etc. There are already existing solutions. Just sync the file and let those solutions handle conflicts.

Thread Thread
 
wagslane profile image
Lane Wagner

Yup. And they can totally do that. Don't enable the sync to cloud option and just backup your own files. easy as pie.

Thread Thread
 
nathilia_pierce profile image
Nathilia Pierce

I agree with both of you, however I think having additional features divides your attentions and increases the complexity of the project. Although it's a really good feature for non-tech savvy users.