Github: https://github.com/Q-Vault/qvault
Website (under construction): https:qvault.io
Q Vault is a new open source password manager built using electron, javascript, and vuejs. The goal was to create an open source password manager that:
Is user friendly
Secure enough to store cryptocurrency
Has built-in optional cloud storage backups
Can be used offline
Can require a physical key for extra security (Plastic Cards with QR Code used for dual encryption)
Oldest comments (27)
What library/libraries does it use for cryptography?
2) It's debatable.
3) It is not the password manager's job to sync files. Let the user deal with that. Save it to a file and call it that. Stop trying to do everything. Do one thing, and do it well.
I'd avoid it. It seems really low level from reading some of your source code. Check out a Libsodium port for Node.js.
Using low-level cryptography libraries make it easy to screw up.
I guess it's fine to have a built-in syncing feature, but it divides your attention. You should be focusing on securing the secrets, rather than syncing files and checking for conflicts.
Users could use NextCloud, DropBox, Syncthing, etc. There are already existing solutions. Just sync the file and let those solutions handle conflicts.
Also, what's up with this?
I don't think that a hardcoded salt is production ready ...
But that's no excuse for reusing salts.
You might as well not use a salt.
Libsodium is a cryptography library that's easy to use. You should be using that instead of what you're doing.
Libsodium isn't "training wheels". It's a production ready solution that most people should be using.
Okay. It makes sense. Why do you want AES-256 in GCM mode? And why Scrypt?
Oh okay, that makes sense now. I thought you were using a salt legitimately.