Hi Johan,

First of all, Great work! This is very impressive!

Is it possible to change the code to disable the destruction of secrets when viewed?
We're looking at deploying this internally, but in testing have found many people click the link by accident before distributing.

Obviously, if this is fundamentally impossible - we'll deal with it :)

Many thanks!

I had to move the app to my new EKS cluster. Once I moved it, the app never worked as it used to. I would take a while to load and once it does and I try to translate a message it just says "Failed to Fetch". I tried updating the forked branch but that did not seem to make a difference. I can see the pod is running and the logs are only showing heath checks from the ALB, nothing else.

Hi, Yopass doesnt seem to work in IE11. Its just a blank page. Any plans on getting it to work on IE11?

I'd like to start the docker containers using docker-compose.

I'm currently running both memcached and yopass containers like this and it's working just fine. Perhaps this could be added to readme? Below is without TLS support. I'm running a separate nginx proxy for that.

version: '2.0'
services:
  memcached:
    restart: always
    image: "memcached"
    ports:
      - "11211:11211"
  yopass:
    restart: always
    image: "jhaals/yopass"
    ports:
      - "1337:1337"
    command: "--memcached=memcached:11211"

$ docker-compose up -d

Does the docker-compose file look okay? Any tips or trix @jhaals?

ability to specify max length for secrets.

Currently you have to manually select and copy the text, which is easy enough to do. However, it's also easy to miss some of the text by accident and only copy a portion of the text. Because the messages expire, and may be configured for "One-time download" so they can only be viewed once, it would be helpful to have a "Copy to clipboard" button on the Decrypted Message page to ensure that all of the text gets copied correctly.

Hi,
I've successfully installed yopass and it was working fine. After a while however I'm getting error message:
"Unable to store message in database, error: TypeError: Failed to fetch"

Then I need to reinstall the image and yopass is working fine for a while. Could you advise what it can be?

Hi,
I'm getting following error during building container. Are you able to help?
Thanks.

Step 4/14 : COPY . .
 ---> 312f326bccc9
Step 5/14 : WORKDIR /yopass/cmd/yopass
 ---> Running in f2fd70ec00f8
Removing intermediate container f2fd70ec00f8
 ---> 253696da6b1a
Step 6/14 : RUN go get && go build
 ---> Running in b25d9937768a
go: finding github.com/spf13/viper v1.6.1
go: finding github.com/stretchr/testify v1.3.0
............
go: downloading gopkg.in/ini.v1 v1.51.0
go: downloading golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a
go: downloading golang.org/x/text v0.3.0
go build github.com/jhaals/yopass/pkg/yopass: module requires Go 1.13
go build github.com/spf13/pflag: module requires Go 1.12
The command '/bin/sh -c go get && go build' returned a non-zero code: 1

I'm getting the following error when trying to build the 8.0 docker container:

 ---> Running in a794bf84cb89
yarn install v1.13.0
[1/4] Resolving packages...
[2/4] Fetching packages...
info [email protected]: The platform "linux" is incompatible with this module.
info "[email protected]" is an optional dependency and failed compatibility check. Excluding it from installation.
[3/4] Linking dependencies...
warning " > [email protected]" has unmet peer dependency "[email protected] - 3".
warning " > [email protected]" has unmet peer dependency "popper.js@^1.14.7".
warning "react-scripts-ts > [email protected]" has unmet peer dependency "babel-core@6 || 7 || ^7.0.0-alpha || ^7.0.0-beta || ^7.0.0-rc".
warning "react-scripts-ts > [email protected]" has unmet peer dependency "babel-runtime@^6.23.0".
warning "react-scripts-ts > [email protected]" has incorrect peer dependency "typescript@^2.1.0".
warning "react-scripts-ts > [email protected]" has incorrect peer dependency "jest@^22.0.1 || ^22.1.0-alpha.1 || ^23.0.0-alpha.1".
warning "react-scripts-ts > [email protected]" has incorrect peer dependency "[email protected]".
[4/4] Building fresh packages...
Done in 48.80s.
yarn run v1.13.0
$ react-scripts-ts build
Failed to compile.

ENOENT: no such file or directory, stat '/website/public/yopass.svg'


error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
The command '/bin/sh -c yarn install && yarn build' returned a non-zero code: 1


version 7.0 builds without issue

Ability to rate limit requests. This can be done by an apache/nginx proxy but it should be added to yopass since it ships with a proper web server nowadays

Hi, I want to adopt the FE slightly of the app. Could you provide me some tipps how this could be solved? If I understand correct, the docker image has only compiled templates.

Could you provide me some tipps how to build the Dockerfile by my own with modified frontend related source files? (HTML, CSS, JS)

It would be great to send someone a link to an encrypted blob read from a file.
In this case, the blob would be stored in the dynamo table

See a demo of how this works elsewhere here: https://demo.tutorialzine.com/2013/11/javascript-file-encrypter/

We can use CryptoJS to allow the user to select a file, it will be encrypted client-side in the browser, we can then base64 encode the file and compute a sha1, and ship both to DynamoDB so the URL becomes the sha1/random-decrypt-key and then at the other end, it downloads the file out of Dynamo.

Is there a way to install on cPanel? I have tried copying the files from the public folder to my cPanel public_html directory but when I click the Encrypt Message button nothing happens.

Problem:
Users unable to save secrets.

Steps to reproduce:

1. Go to main page
2. Enter data in input box
3. Click "Encrypt Message"

The screen will not update, and looking at the browser's console you can see that there is a 404 for when trying to load aes.js.

Here's the JS thats trying to load: https://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js

Ability to set threshold to X secrets/hour/ip

the upload functionality available under /#/upload is super useful for sharing certificates etc, can you please add an option to link to this page from the main page?

I've (I think) installed the dependencies, but when I try to run it I get this:

# github.com/jhaals/yopass/pkg/yopass
jhaals/yopass/pkg/yopass/yopass.go:50:19: multiple-value uuid.NewV4() in single-value context

Info:

go version go1.10.4 **linux/amd64**

# go env
GOARCH="amd64"
GOBIN=""
GOCACHE="/root/.cache/go-build"
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/root/go"
GORACE=""
GOROOT="/usr/lib/go-1.10"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go-1.10/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build556093694=/tmp/go-build -gno-record-gcc-switches"

Hi there,

when you use the feature to create links that can be used multiple times, the following text is still shown to users:

"Remember that the secret can only be downloaded once so do not open the link yourself."

Hi,
First thanks for the great app.
I have a problem executing into yopass container, I tried the following without avail:
docker exec -ti deploy_yopass_1 /bin/sh
docker exec -ti deploy_yopass_1 /bin/bash

It seems that i can't find any installed shell in the docker container.

Currently the passwords are stored in clear-text. This exposes all stored passwords if the machine is breached.

Security could be enhanced if the URL that is passed around contained a secret. yopass would then transparently decrypt the stored password and display it.

It seems like keys are generated using Math.random():

Background: I wanted to share a file securily with someone this morning. I ended up encrypting using gpg --symmetric, e-mailing the file and sending the secret through Yopass. Two issues with this:

• For a non-technical person this would not be doable (they would likely resort to some less good zip file format encryption algorithm).
• Experience of sharing a file was really bad encouraging me, and others, to reinvent file sharing procedures.
  • Specifically for my solution, the encrypted file might reside in the receiving e-mail inbox without me knowing. Preferably the file should not be stored online at all after it has been downloaded by the receiver.

Proposal: Add support for file uploads and downloads for sharing larger secrets.

Scope: For simplicity, I propose only a single file can be uploaded. The submitter can easily bundle multiple files in a zip file.

Potential workaround: I tried to base64 encode the file I wanted to share and paste it into Yopass. For smaller files this might work, however, Yopass responsed that my secret was too large (possible to raise this limit?).

Discussion points: Yopass uses memcached. memcached has default --max-item-size=1mb so assuming no partioning is done, that will be the upper size. That said, the memcached limit can be raised to allow larger files. I don't think raising the limit has any big implications.

When maxLength parameter was added, the lambda deploy was not updated.

Hey, I really like the checkbox for the "one-time view". However, it's not possible to delete such an entry while viewing the content.

What do you think about adding such a button in the UI?

Hello,
I'd like to share with you with my modification, which allow users define the Decryption Key on the own.
I'm not the programist, so forgive me possible mistakes.

Maybe you will consider to extend main code with this possibility.

[...]
  const submit = async () => {
    if (secret === '') {
      return;
    }
    //new optional key validation 
    if (password !== '') {

      if (password.length > 30) {
          setLoading(false);
          setError('Decryption key is to long');
          return;
      }

      const letterNumber = /^[0-9a-zA-Z]+$/;
      if (!password.match(letterNumber)) {
          setLoading(false);
          setError('Decryption key is not alphanumeric');
          return;
      }
    }
//end of new optional key validation 

    setLoading(true);
    setError('');

    try {
//modified 
        const rand = randomString();
        let pw;
        if (password === ''){
         pw = rand;
        } else {
         pw = password;
        }
//end modification
      const request = await fetch(BACKEND_DOMAIN, {

[....]
        <Form>
          <FormGroup>
            <Label>Secret message</Label>
            <Input
              type="textarea"
              name="secret"
              rows="4"
              autoFocus={true}
              placeholder="Message to encrypt locally in your browser"
              onChange={e => setSecret(e.target.value)}
              value={secret}
            />
          </FormGroup>
//add new Form Group
          <FormGroup>
            <Input
              rows="1"
              type="text"
              name="password"
              placeholder="Optional alphanumeric Decryption Key"
              onChange={e => setPassword(e.target.value)}
              value={password}
            />
          </FormGroup>
//end of new Form Group
          <FormGroup tag="fieldset">
            <Label>Lifetime</Label>

In my installation I also reduced the autogenerated Key to 6 digits:

const randomString = (): string => {
  let text = '';
  const possible =
    '0123456789';
  for (let i = 0; i < 6; i++) {
    text += possible.charAt(randomInt(0, possible.length));
  }
  return text;
};

Have a nice day.
Regards.

Memcache by default can store 1M items and dynamodb can store 400kB, currently yopass can only store items under 10,000 in length. I suggest increasing the size to closer to the max dynamodb size or having a config option to optionally increase this

Hi, i am a graphics designer. I will like to know if you want me to create a new logo for your project.

Hi,

please support a password for the redis connection, so I can use a redis installation outside the yopass installation (eg. from environment variable for k8s).

THX

Johan, I'm really sorry but as I'm not sure if you watch closed issues, so I opened new one.
Basically I missed "s" in certs but only in description of the issue. On the server I haven't missed it, and just in case in once I've changed certs to cert but everywhere in the command and folder. Unfortunately it didn't help. Have you tried youpass with certbot? I really like youpass but so far I used public certificate authority and now I would like to install letsencrypt. Is it possible? Unfortunately the software works in docker and I don't have too much experience with the docker so my plan was to:

1. Stop docker service
2. run certbot to get/renew certificate
3. start docker.

It should work but unfortunately youpass container doesn't seem to find my certificate.

The code in deploye/aws-lambda references some GitHub repos that do not exist.

$ cd deploy/aws-lambda
$ GOOS=linux go build -o main
main.go:10:2: cannot find package "github.com/akrylysov/algnhsa" in any of:
	/usr/src/github.com/akrylysov/algnhsa (from $GOROOT)
	/home/USER/go/src/github.com/akrylysov/algnhsa (from $GOPATH)
main.go:12:2: cannot find package "github.com/aws/aws-sdk-go/aws" in any of:
	/usr/src/github.com/aws/aws-sdk-go/aws (from $GOROOT)
	/home/USER/go/src/github.com/aws/aws-sdk-go/aws (from $GOPATH)
main.go:13:2: cannot find package "github.com/aws/aws-sdk-go/aws/session" in any of:
	/usr/src/github.com/aws/aws-sdk-go/aws/session (from $GOROOT)
	/home/USER/go/src/github.com/aws/aws-sdk-go/aws/session (from $GOPATH)
main.go:14:2: cannot find package "github.com/aws/aws-sdk-go/service/dynamodb" in any of:
	/usr/src/github.com/aws/aws-sdk-go/service/dynamodb (from $GOROOT)
	/home/USER/go/src/github.com/aws/aws-sdk-go/service/dynamodb (from $GOPATH)
main.go:15:2: cannot find package "github.com/jhaals/yopass/pkg/yopass" in any of:
	/usr/src/github.com/jhaals/yopass/pkg/yopass (from $GOROOT)
	/home/USER/go/src/github.com/jhaals/yopass/pkg/yopass (from $GOPATH)

Dependabot couldn't parse the go.mod found at /go.mod.

The error Dependabot encountered was:

go: github.com/spf13/[email protected] requires
	github.com/grpc-ecosystem/[email protected] requires
	gopkg.in/[email protected]: invalid version: git fetch --unshallow -f origin in /opt/go/gopath/pkg/mod/cache/vcs/748bced43cf7672b862fbc52430e98581510f4f2c34fb30c0064b7102a68ae2c: exit status 128:
	fatal: The remote end hung up unexpectedly

View the update logs.

I'm attempting to setup yopass compiled from source based on the latest tag, listening to localhost with a reverse proxy in front. However I can't reach the yopass instance. What may I be missing?

Many thanks for a great piece of software that served me well on many occasions.

# ps uaxww | grep -E 'yopass|redis'
redis    18838  0.1  0.0  51444  2376 ?        Ssl  23:12   0:00 /usr/bin/redis-server 127.0.0.1:6379
yopass   19471  0.0  0.2 313464  7728 ?        Ssl  23:13   0:00 /usr/bin/yopass serve --address 127.0.0.1 --port 8080 --database redis


# curl -X GET http://localhost:8080
404 page not found
# curl -X GET http://localhost:8080/yopass
404 page not found

Hello,
I tested a little bit an file uploading feature and I noticed a problem with sharing zip/7z archives.
After uploading and downloading an archive become corrupted and unreadable.

I attach a sample zip files with almost empty txt file inside and same files after being downloaded.

Sharing file is great feature even for small files (this is enough for sharing certificates or VPN's profiles) when it's working correctly. 😄

Regards.

sample.zip
sample-downloaded.zip

Hi,
I'm trying to run yopass on port 443 but setting it like below doesn't work. It does on 1337, Could you advise please?

docker run --name memcached_yopass -d memcached

docker run -p 443:443 -v /local/certs/:/certs
--link memcached_yopass:memcache -d jhaals/yopass -memcached=memcache:11211 -tls.key=/certs/my.key -tls.cert=/certs/my.crt

docker run -p 443:443 --link memcached_yopass:memcache -d jhaals/yopass -memcached=memcache:11211

With Linux Chrome 57.0.2950.4 dev (64-bit), after entering the decoding key, nothing is shown.

The console shows this error:

Error: Malformed UTF-8 data         angular.js:12416
    at Object.stringify (aes.js:10)
    at init.toString (aes.js:8)
    at app.js:60
    at angular.js:10215
    at angular.js:14634
    at n.$eval (angular.js:15916)
    at n.$digest (angular.js:15727)
    at n.$apply (angular.js:16024)
    at g (angular.js:10511)
    at K (angular.js:10683)
(anonymous)	@	angular.js:12416

Hi Johan,

thanks for the great software
I am running yopass behind SSO. Authentication is done via a cookie.
Unfortunately currently yopass is not sending the cookies with the request.
The field that will most likely solve this is: https://developer.mozilla.org/en-US/docs/Web/API/Request/Request credentials: include
I do not see any case where transmitting the cookie with the request would have negative consequences, so this might be good to make the default behaviour.

Hey @jhaals,

first of all, thanks so much for yopass, we're big fan here at SoundCloud! It's our favorite tool to quickly share some credentials with others.

We wonder if you were to accept a submission to add Prometheus monitoring to yopass, to track number of requests and errors? I saw that the prometheus client library is already in the list of dependencies. So we'd only need to load the library, add one metric, and expose the /metrics handler. https://godoc.org/github.com/prometheus/client_golang/prometheus/promhttp#InstrumentHandlerDuration

Cheers!

Hi,

it would be nice if one could paste in pictures to share via browser.
This could be used to share 2d barcodes which we use to share secrets for OTP auth devices.

OR add setting to display as 2D barcode which would safe space but be less generic

Hi,

I'm trying to change my certificate to generated by certboot. Unfortunately I have strange issue with this as when I'm using command:

docker run -p 443:1337 -v /etc/letsencrypt/live/yopass.mydomain.com:/certs
--link memcached_yopass:memcache -d jhaals/yopass -memcached=memcache:11211 -tls.key=/certs/privkey.pem -tls.cert=/certs/fullchain.pem

I'm getting error message:
2019/02/14 15:47:58 Starting yopass. Listening on port 1337
2019/02/14 15:47:58 open /cert/fullchain.pem: no such file or directory

The file definitely is in in the folder and it seems accepting first one (privkey.pem).

When I remove from the command " -tls.key=/certs/privkey.pem" of course youpass doesn't work but container starts so I guess it finds the /cert/fullchain.pem file.

I've tried to resolve this issue myself but after few hours of attempts eventually gave up.

Could you help me please?

Expire a secret after N views and optionally also a time-based expiration.

https://docs.codeclimate.com/docs/advanced-configuration#default-checks

Originally posted by @grobie in #582 (comment)

If i submit a secret string "mystring>" via REST api, the only way to view it is by going to link
/secret/<key>
Which returns a json and is not decoded.

Please allow to get via url without decrypt key i.e. below should work
https://yopass.se/#/s/7ca6f773-c77f-11e6-89b0-0242ac110004

My use case was to send non-technical people, secure yopass urls, so that they could collect their passwords.
/secret/<key>
resulted in a json response in their browser with special characters messed up
@jhaals

I have yopass runing under https://my.site.tld/yopass/ eveything is working fine but the generated secret links are like:
https://my.site.tld/yopass#/s/<LONG_HASH> instead of
https://my.site.tld/yopass/#/s/<LONG_HASH>.
When I manually edit the URL it works just fine. Could you introduce some baseurl parameter or something?

Hi,

I have just started using this app. Its running on my EKS cluster. The containers are running and are healthy. It worked for a new days like a charm, but now, when I try to Encrypt a message it just returns "Failed to fetch".

Looking at the container logs I don't see anything other than ALB health checks:

10.5.x.x - - [15/May/2020:17:19:27 +0000] "GET / HTTP/1.1" 200 2609
10.5.x.x - - [15/May/2020:17:19:27 +0000] "GET / HTTP/1.1" 200 2609

I tried to kill the pod and a new one created but exact same behavior.

Anyone experienced this?

In a previous version of yopass there was a rudimental documentation of an API via HTTPS and JSON (see here).

Since your last bigger rewrite and the change to the sjcl cryptolibrary this part is missing in the README of the project.

We consider to automate a secure secret delivery in one of our internal services, so yopass would be a nice solution. (A yopass instance is already running but at this point only used in browser)

While the most of the JSON API is still working as expected...

# request
curl --header "Content-Type: application/json" \
  --request POST \
  --data '{"secret":"secret","Expiration":3600}' \
  https://dasvcjfzrl.execute-api.eu-west-1.amazonaws.com/dev/secret

# response
{"message":"ea75ddc4-bcad-43b7-b767-7546253e8ca8"}

... At this point I need to know how the encryption part can be done locally without JS before sending the request to the server. You seem to use the SJCL defaults.

But I haven't got this managed so far. Do you have an idea on how an api client can do that?

It would be nice to have this as an official feature back again.

The new restructured version seems to be broken if its installed manually or by docker.

Due to the missing updated installation steps I tried to follow the steps in the Dockerfile, but I always end with an 404 when Itry to view the secret. Also the full secret link is shown in the server logs now...

If I use the docker containers I end up with the same results...

2018/03/02 14:59:30 Starting yopass. Listening on port 1337
127.0.0.1 - - [02/Mar/2018:14:59:36 +0100] "GET /result HTTP/1.0" 404 19
127.0.0.1 - - [02/Mar/2018:14:59:57 +0100] "GET / HTTP/1.0" 304 0
127.0.0.1 - - [02/Mar/2018:14:59:57 +0100] "GET /static/css/main.6f022e07.css HTTP/1.0" 304 0
127.0.0.1 - - [02/Mar/2018:14:59:57 +0100] "GET /static/js/main.09471f93.js HTTP/1.0" 304 0
127.0.0.1 - - [02/Mar/2018:15:00:12 +0100] "POST /secret HTTP/1.0" 200 50
127.0.0.1 - - [02/Mar/2018:15:00:30 +0100] "GET /s/a1c5ddef-59c4-4615-963b-49f758ca3fdf/C0atSB6B1IqquLuh HTTP/1.0" 404 19

When loading the yopass website the input field is immediately in focus. I'd love to send off the form after pasting/entering some plaintext by keyboard shortcut. At least under Linux based Firefox 80.0 the common ctrl+enter combination is not recognized to submit the form. Maybe it would even be possible to be able to copy the one-click link with ctrl+c or some other combination on the next page?

I don't really have any experience with Typescript/Javascript to add that quickly myself.