Building a Secure Team Password Store


Some time ago, I had a conversation with my old boss, Brian Langston, about how to properly share secure items like passwords and key files within a team of developers. I’ve always kept a KeePass database, but if I have to share a login with a coworker I’m usually forced to resort to either writing it on a post-it note or sending it over a potentially insecure channel like email. We talked about setting up a system where you could build a database of secure notes, share them with individuals on the team, and potentially share changes or revoke access in the future. Like most good ideas, it was approached with the best of intentions and immediately forgotten about when things got busy.

Now several years later, I found out I wasn’t the only one thinking about this problem. A coworker introduced me to 1Password for teams, and I was very pleased to find somebody had already done all the hard work for me. We’ve been using it for a few months now, and while I’ve had some difficulties with its interface and vault structure, it’s been a very useful tool. So useful, in fact, that my team has become completely dependent on it and have moved almost all of our server information and confidential data into it. This is great from a convenience standpoint, but the problem is that as with any proprietary system, it’s a black box that we’re locked into. Not only do I have to take their word for it that it’s secure, but I have no reasonable way to get my data back out or transfer to another vendor, so I’m at their whim and whenever they start to charge a fee for the service (which they’ve announced they will but not how much), my data will be essentially held for ransom.

So what about an open source alternative? I’ve looked around, and couldn’t find much that fits the bill, so I’ve started my own, PassBrain. Going back to my conversation four or five years ago, the system is built on he core concept that even someone with full access to the data should be unable to reasonably decrypt it. This means that all secrets are encrypted using a private key that never leaves the user’s device.

This works fairly elegantly, as any time a user updates a stored secret (or creates a new one), the data can be locally encrypted on their device (the plaintext value is never sent over the network either) using their teammates’ public keys. Their teammates then download the cipher text and decrypt it locally.

It’s been a fun project so far, and is already at the point where I’d trust it with secure data, but as with all things, the details of user and group administration will probably take some time. More details to follow!