RatticWeb is the website part of the Rattic password management solution, which allows you to easily manage your users and passwords.
Description: Rattic fork with ecryption.
Because only the accounts with view access should be able to view a password.
Users can fall into 3 main access groups: No rights, Access rights and View rights. Access rights is granted via the groups or LDAP group membership. To view the password the user also needs the encrypt key. This way even if you are a member of a group you need the key to decrypt. This also adds the function of private passwords - with a key only you know. Encrypted passwords prevent someone to dump the database and view all the passwords, including 3rd party and sysadmins... yes sysadmins should not be able to view a password just because they administer the system. The Password Management Solution must provide storage, history, search, access etc. etc. while the real password strings must be accessible only from the users.
Because it's a standard, simple, easy to implement, easy to understand.
http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js
ToDo: test WebCrypto. https://github.com/diafygi/webcrypto-examples/#aes-cbc
To fetch the password and decrypt yourself:
curl -sk -H "Authorization: ApiKey USERNAME:API_KEY" -H "Accept: application/json" https://rattic-url.com/api/v1/cred/1/| jq '.password'
"U2FsdGVkX19rYQZwwyDs1ICWX7RRUAsKYPbJ8YDFoS0="
or
curl -sk -H "Authorization: ApiKey USERNAME:API_KEY" -H "Accept: application/json" https://rattic-url.com/api/v1/cred/1/ \
| jq '.password' | xargs echo -n | base64 -d \
| openssl enc -d -aes-256-cbc -pass pass:"KEY_USED_TO_ENCRYPT"
Well, personally I would build:
- ecrypted disk
- nginx-naxsi
- fail2ban
- mariadb-galera
- 2 or more nodes for HA
- offsite backups
Ispired by @ministryofjustice I can even automate and dockerize the nodes
- The webpage should be served over HTTPS only, apart from a redirect from normal HTTP.
- The filesystem in which the database is stored
shouldcan be protected with encryption. - The access logs should be protected.
- The machine which serves RatticWeb should be protected from access.
- Tools like <a href=="http://www.ossec.net/">OSSEC,modsecure and <a href=="https://github.com/nbs-system/naxsi>naxsi are your friend.
Support and Known Issues:
- Through twitter or Github Issues or Github Issues in this fork
- Apache config needs to have "WSGIPassAuthorization On" for the API keys to work
Dev Setup: https://github.com/tildaslash/RatticWeb/wiki/Development