A web-based, self-hosted password manager with client-side encryption.

Author : Ludovic Barman

Vaultage is a password manager.

It is in-browser, and can be accessed from all your devices; the password are encrypted/decrypted in your browser : no plaintext goes through the network. It is self-hosted : install it securely on your own server, and it is open-source : please report any bugs on here; I'll do my best to fix them.

Security technologies used : CryptoJS, and the Stanford Javascript Crypto Library, using SHA256 as a hash function, and AES (256bits). Plaintext passwords never leave your computer's memory.

-> access the live demo

• username : demo
• remote password : demo1
• local password : demo2

Trouble beginning? First auth, then ls. Try to get Github, then gen a new password, and get it.

Database is reset at 00:00 CET

1. (HTTPS) web server with javascript and php
2. mysql

1. create the database, using resources/db_setup.sql
2. move config.default.php to config.php, edit the contents accordingly
3. upload all contents to your web server, serve clients/web-cli

Or, instead of the above setup, you can directly spawn a docker container. See the Docker README.

• auth : authenticate to the mysql server, and pulls the entries
• la : alias for loadauth, the one I use everyday to login

common :

• get TERM : filter the results, and display the matching password entry (supports multi-terms; find all entries matching all terms. use get -or TERM1 TERM2 to get every entry matching any terms
• new : creates a new password entry, then pushes the changes
• gen : creates a new password entry with a random password, and pushes the changes
• edit ID : edits the entry ID (ID is the number in parenthesis). Use KEY_UP to display the previous content.
• rm ID : removes the entry ID
• rotate ID : re-generates a new password for entry ID, keeping all other fields the same

less common :

• push : pushes the current entries to the database. Check that no overwrite is done; use push --force with caution.
• pull : pulls the entries from the database
• clear : clear the screen
• logout : clear all the in-memory authentication information
• pwd : to change your local password. Once done, the next push will use the new password.

cookies:

• saveauth : saves the username and the remote password in a cookie. does not save the local password by design.
• loadauth : loads the username and the remote password from the cookie, and asks for the local password. Use as quicker an alternative to auth. Also pulls the entries
• clearauth : removes all authentication cookies

If you server supports it, you can enable email backup; every time a change is made, the database content (it's a ciphertext) is sent to your email. This way, if something goes wrong, you always have intermediate version of your password database. You can either plug it back in the database, or you can decrypt it with a little javascript (my own "urgence decryptor" script ).

To enable it, fill in the information in config.php

Thanks to hmil for his security audit, PR for structure + Docker setup