I tried to build a portable password vault. The base idea is to generate the public and private key and while storing the private key to a file append the hash of a master password to the private_key.txt file.
The system allows you to encrypt the passwords using the public key and then while decrypting asks you to enter your master_password which it uses to de-crypt the private key which is used to decrypt the encrypted text.
The passwords are stored in a json file in an encrypted format.
It is a Java Spring boot project
Any suggestions to change the code or any other feature that might be good to include are welcome. I don’t have much idea about the security aspect of it as to how secure is it so any review of the security of the whole system are also welcome
Any reason why you are doing this? Both Password Storage and encryption/decryption are basically “solved problems”. For both things there is software or are libraries available to do it correctly.
Doing so by yourself is asking for trouble and it’s really easy to screw this up.
Unless it’s for curiosity sake and just to do something. In that case, feel free to continue with this.
The basic idea is, authentication can be:
- Something you are
- Something you have
- Something you know
To increase Security, you combine those. So, the Private Key is Something you have. The Master Password is something you know. That’s in general a good idea.
The specifics depend a lot on how you actually encrypt the data, and how you are planing to manage the key etc. The easiest thing would probably be to use the Master Password as some kind of a “salt” for encrypting with the private key.
I haven’t actually done any Encryption in code, because many other people have done before and probably better than i could, so my input is more general, rather than specific.
Also, if you want feedback on your code, you should probably add a link or such to the actual code that you have.