a simple and secure password manager for Linux

passman is a simple and secure password manager for Linux that uses Chacha20 for encryption, PBKDF2 for key generation, SHA3-256 for hashing and HMAC, and a tamper proof blockchain for logging activities. passman is meant as an example of how to design and implement a tool dealing with critical data - such as a password manager - that requires a sound choice of cryptographic primitives and a thorough evaluation of the trust chain. The following documentation covers the reasons and details behind the design and implementation choices.

As shown in the first figure below, the database contains a table of entries and a set of parameters used for key generation (iter and salt) and encryption/decryption (nonce), as well as for integrity checks (entries HMAC and HMAC). The entries HMAC contains the SHA3-256-HMAC of the table of entries before encryption, and the HMAC contains the SHA3-256-HMAC of all the fields of the database except the HMAC field (obviously!). The HMAC field is used to perform two operations: i) authentication (only possible with the master password), ii) integrity check of the database. The entries HMAC field is used to check the integrity of the table of entries after decryption.

Fig.1 - Diagram of the database structure

Fig.2 - Diagram of the database structure showing which parameters are used for every HMAC

The log is structured as show in the figures below.

Fig.3 - Diagram of the log structure

Fig.4 - Diagram of the log structure showing which parameters are used for every HMAC

Present pseudocode of what happens for each command.

• init

Detail what init does!

• add

Detail what add does!

• del

Detail what del does!

• get

Detail what get does!

• list

Detail what list does!

• log

Detail what log does!

Why is passman secure?

• System basics: chmod, mkdir, mlockall, ...
• The choice of cryptohgraphic primitives: Chacha20, PBKDF2, and SHA3-256.
• The choice of a reliable source of cryptographic randomness (Linux getrandom).
• The constant-timeness of the critical cryptographic and memory operations primitives. Robust against timing side-channel attacks.
• No information related to the master password is stored anywhere. The encryption/decryption keys are generated on the fly using a KDF.
• Multiple HMACs are calculated to ensure data integrity and tamper proofing.
• The logs are stored in a blockchain that allows a higher robustness against tampering.
• Secrets are only decrypted in memory, files remain encrypted on disk.
• Secrets have short memory life cycles and are zeroed out as soon as they are no longer necessary.
• Nonces are regenerated everytime the files are modified.

Key generation and management

Nonce regeneration

What's lacking for better security?

• Better memory protection using Linux Memory Protection Keys (pkeys)!
• Stronger cryptographic primitives:
  • replace Chacha20 by Chacha20+Poly1305 or XChacha20+Poly1305 for encryption with AEAD (Authenticated Encryption with Additional Data)
  • replace PBKDF2 by Argon2 for key generation
  • replace SHA3-256 by BLAKE2s for keyed hashing
• Add a reversible secret based shuffle that scrambles the database entries in order to render the distribution of the data structure fields (or format) unpredictable. Currently, the data structures are dumped as is into a file making the fields encrypted content accessible.

How to securely backup the passman database?

Simply copy the $HOME/.passman directory in a secure location such as a LUKS encrypted or hardware encrypted flash drive.

• Linux getrandom
• Chacha20
• PBKDF
• SHA3
• HMAC