A web-based, self-hosted password manager with client-side encryption.
Author : Ludovic Barman
Vaultage is a password manager.
It is in-browser, and can be accessed from all your devices; the password are encrypted/decrypted in your browser : no plaintext goes through the network. It is self-hosted : install it securely on your own server, and it is open-source : please report any bugs on here; I'll do my best to fix them.
Security technologies used : CryptoJS, and the Stanford Javascript Crypto Library, using SHA256 as a hash function, and AES (256bits). Plaintext passwords never leave your computer's memory.
- username : demo
- remote password : demo1
- local password : demo2
Trouble beginning? First auth
, then ls
. Try to get Github
, then gen
a new password, and get
it.
Database is reset at 00:00 CET
- (HTTPS) web server with javascript and php
- mysql
- create the database, using
resources/db_setup.sql
- move
config.default.php
toconfig.php
, edit the contents accordingly - upload all contents to your web server, serve
clients/web-cli
Or, instead of the above setup, you can directly spawn a docker container. See the Docker README.
auth
: authenticate to the mysql server, andpull
s the entriesla
: alias forloadauth
, the one I use everyday to login
common :
get TERM
: filter the results, and display the matching password entry (supports multi-terms; find all entries matching all terms. useget -or TERM1 TERM2
to get every entry matching any termsnew
: creates a new password entry, thenpush
es the changesgen
: creates a new password entry with a random password, andpush
es the changesedit ID
: edits the entry ID (ID is the number in parenthesis). Use KEY_UP to display the previous content.rm ID
: removes the entry IDrotate ID
: re-generates a new password for entry ID, keeping all other fields the same
less common :
push
: pushes the current entries to the database. Check that no overwrite is done; usepush --force
with caution.pull
: pulls the entries from the databaseclear
: clear the screenlogout
: clear all the in-memory authentication informationpwd
: to change your local password. Once done, the nextpush
will use the new password.
cookies:
saveauth
: saves the username and the remote password in a cookie. does not save the local password by design.loadauth
: loads the username and the remote password from the cookie, and asks for the local password. Use as quicker an alternative toauth
. Alsopull
s the entriesclearauth
: removes all authentication cookies
If you server supports it, you can enable email backup; every time a change is made, the database content (it's a ciphertext) is sent to your email. This way, if something goes wrong, you always have intermediate version of your password database. You can either plug it back in the database, or you can decrypt it with a little javascript (my own "urgence decryptor" script ).
To enable it, fill in the information in config.php
Thanks to hmil for his security audit, PR for structure + Docker setup