• Stars
    star
    451
  • Rank 96,968 (Top 2 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 7 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

One-Time-Secret sharing platform with a symmetric 256bit AES encryption in the browser

Go Report Card

Luzifer / OTS

ots is a one-time-secret sharing platform. The secret is encrypted with a symmetric 256bit AES encryption in the browser before being sent to the server. Afterwards an URL containing the ID of the secret and the password is generated. The password is never sent to the server so the server will never be able to decrypt the secrets it delivers with a reasonable effort. Also the secret is immediately deleted on the first read.

Features

  • AES 256bit encryption
  • Server does never get the password
  • Secret is deleted on first read

Setup

For a better setup you can choose the backend which is used to store the secrets:

  • mem - In memory storage (wiped on restart of the daemon)
  • redis - Storing the secrets in a hash under one key
    • REDIS_URL - Redis connection string redis://USR:PWD@HOST:PORT/DB
      (pre Redis v6 use auth as user, afterwards use a user available in your ACLs)
    • REDIS_KEY - Key prefix to store the keys under (Default io.luzifer.ots)
  • Common options
    • SECRET_EXPIRY - Expiry of the keys in seconds (Default 0 = no expiry)

Customization

In order to be adjustable to your needs there are some ways to customize your OTS setup. All of those require you to create a YAML file containing the definitions of your customizations and to load this file through the --customize=path/to/customize.yaml:

# Override the app-icon, present a path to the image to use, if unset
# or empty the default FontAwesome icon will be displayed. Recommended
# is a height of 30px.
appIcon: ''

# Override the app-title, if unset or empty the default app-title
# "OTS - One Time Secret" will be used
appTitle: ''

# Disable display of the app-title (for example if you included the
# title within the appIcon)
disableAppTitle: false

# Disable the footer linking back to the project. If you disable it
# please consider a donation to support the project.
disablePoweredBy: false

# Disable the button to display and the generation of the QR-Code
# for the secret URL
disableQRSupport: false

# Disable the switcher for dark / light theme in the top right corner
# for example if your custom theme does not support two themes.
disableThemeSwitcher: false

# Custom path to override embedded resources. You can override any
# file present in the `frontend` directory (which is baked into the
# binary during compile-time). You also can add new files (for
# example the appIcon given above). Those files are available at the
# root of the application (i.e. an app.png would be served at
# https://ots.example.com/app.png).
overlayFSPath: /path/to/ots-customization

To override the styling of the application have a look at the src/style.scss file how the theme of the application is built and present the compiled app.css in the overlayFSPath.

After modifying files in the overlayFSPath make sure to restart the application as otherwise the file integrity hashes are no longer matching and your resources will be blocked by the browsers.

If you want to disable secret creation for users not logged into your company SSO you can apply an ACL on the /api/create and /api/isWritable endpoints to allow access to them only for logged in users. This will also disable the secret-creation interface for all not having access to the /api/isWritable endpoint.

Creating secrets through CLI / scripts

As ots is designed to never let the server know the secret you are sharing you should not just send the plain secret to it though it is possible.

Sharing an encrypted secret (strongly recommended!)

This is slightly more complex as you first need to encrypt your secret before sending it to the API but in this case you can be sure the server will in no case be able to access the secret. Especially if you are using ots.fyi (my public hosted instance) you should not trust me with your secret but use an encrypted secret:

# echo "my password" | openssl aes-256-cbc -base64 -pass pass:mypass -iter 300000 -md sha512
U2FsdGVkX18wJtHr6YpTe8QrvMUUdaLZ+JMBNi1OvOQ=

# curl -X POST -H 'content-type: application/json' -i -s -d '{"secret": "U2FsdGVkX18wJtHr6YpTe8QrvMUUdaLZ+JMBNi1OvOQ="}' https://ots.fyi/api/create
HTTP/2 201
server: nginx
date: Wed, 29 Jan 2020 14:08:54 GMT
content-type: application/json
content-length: 68
cache-control: no-cache

{"secret_id":"5e0065ee-5734-4548-9fd3-bb0bcd4c899d","success":true}

You will now need to supply the web application with the password in addition to the ID of the secret: https://ots.fyi/#5e0065ee-5734-4548-9fd3-bb0bcd4c899d|mypass

In this case due to how browsers are handling hashes in URLs (the part after the #) the only URL the server gets to know is https://ots.fyi/ which loads the frontend. Afterwards the Javascript executed in the browser fetches the encrypted secret at the given ID and decrypts it with the given password (in this case mypass). I will not be able to tell the content of your secret and just see the AES 256bit encrypted content.

You can find a script cli_create.sh in this repo demonstrating the creation of the secret with all steps.

Sharing the plain secret

# curl -X POST -H 'content-type: application/json' -i -s -d '{"secret": "my password"}' https://ots.fyi/api/create

HTTP/2 201
server: nginx
date: Wed, 29 Jan 2020 14:02:42 GMT
content-type: application/json
content-length: 68
cache-control: no-cache

{"secret_id":"1cb08e53-46b9-4f21-bbd9-f1eea1594ad9","success":true}

You can then use the URL https://ots.fyi/#1cb08e53-46b9-4f21-bbd9-f1eea1594ad9 to access the secret.

Localize to your own language

If you want to help translating the application to your own language please see the i18n.yaml file from this repository and translate the English strings inside. Afterwards please open an issue and attach your translation including the information which language you translated the strings into.

Of course you also could open a pull-request to add the new translations to the i18n.yaml file.

Same goes with when you're finding translation errors: Just open an issue and let me know!

More Repositories

1

nginx-sso

SSO authentication provider for the auth_request nginx module
Go
284
star
2

vault-openvpn

Small wrapper utility to manage OpenVPN configuration combined with a Vault PKI
Go
129
star
3

go-openssl

go-openssl is a small library wrapping the crypto/aes functions in a way the output is compatible to OpenSSL
Go
116
star
4

awsenv

awsenv is intended as a local credential store for people using more than one AWS account at the same time
Go
68
star
5

password

Fast and secure password generator and library
Go
43
star
6

streamdeck

Library and utility to control Elgato StreamDeck on Linux
Go
32
star
7

gobuilder

Automatic Golang building project
Go
26
star
8

mondash

Public dashboard service without hazzle
Go
25
star
9

twitch-bot

Self-hosted alternative to one of the big bots managed by big companies…
Go
19
star
10

wiki

File-based Wiki implementation with web-editing capabilities and a Git backed storage
Go
15
star
11

go-dhparam

Pure Go implementation of OpenSSL dhparam generator
Go
14
star
12

ed-fast-travel

Small helper utility to plan long-distance travels inside Elite: Dangerous
Go
10
star
13

staticmap

Webserver to generate static maps from OpenStreetMap tiles
Go
10
star
14

vault2env

Small utility to transfer fields of a key in Vault into the environment
Go
9
star
15

git-credential-vault

Implementation of the Git Credential Storage utilizing Vault as storage backend
Go
9
star
16

badge-gen

Web-Service to generate small badges
Go
8
star
17

webcheck

webcheck is a CLI tool to check the health of a web page
Go
8
star
18

scs-extract

Linux / MacOS CLI util to list / extract files from SCS archives used in Euro Truck Simulator 2
Go
7
star
19

cloudkeys-go

A small keepass alternative you can host by yourself
HTML
7
star
20

kscripts

Multiple more or less usefull scripts which got no own repository
Ruby
7
star
21

lorabattery

Monitoring device for my cars battery with the ability to broadcast the voltage through TheThingsNetwork using LoRaWAN
C++
7
star
22

scansnap-go

Small webserver connecting to a SANE enabled scanner exposing the scan result as a PDF over HTTP
Go
6
star
23

grafana-proxy

Simple proxy server around Grafana to display password protected dashboards using a token
Go
6
star
24

vault-otp-ui

Viewer for time based one-time passwords whose secret is stored in Vault
Go
6
star
25

rconfig

Package rconfig implements a CLI configuration reader with struct-embedded defaults, environment variables and posix compatible flag parsing
Go
6
star
26

github2gitea

Automatically create migrations inside a Gitea instance to mirror Github repositories
Go
6
star
27

gziphttp

Very simple HTTP server for serving static files with ability for gzip compression if supported by the client
Go
6
star
28

PHPFramework

A lightweight PHP framework as a composition of different good features and concepts of other frameworks intended for easy use and fast development
PHP
6
star
29

vault-totp

OneTimePassword generator working on the same protocol as the Google Authenticator app, just using Vault as its secret backend
Go
6
star
30

packer-vyos

Packer setup to build an Amazon Web Services EC2 AMI from a VyOS ISO image
Shell
6
star
31

browser-privacy

List of filter rules for uBlock Origin to enhance the browsing privacy and replace Ghostery
Python
6
star
32

dockermanager

Scheduler daemon to start / stop / update / enforce Docker containers on a Docker host
Go
5
star
33

webtotp

Small web-based utility to create ad-hoc TOTP codes
Vue
5
star
34

cam2mjpeg

Wrapper around ffmpeg to grab a video signal from an USB webcam and to provide an MJPEG stream via HTTP
Go
5
star
35

ipfs-markdown

HTML
5
star
36

envrun

Helper utility to inject environment variables stored in a file into processes
Go
5
star
37

culmqtt

Small connector between an USB-CUL and a MQTT server
Go
5
star
38

s3sync

Small utility to sync local directories from/to Amazon S3 / MinIO without installing any dependencies
Go
4
star
39

git-recurse-status

Wrapper around git to display status of a whole tree of directories to detect uncommitted or not pushed changes
Go
4
star
40

espsms

Receive SMS for a SIM-card and forward them to a server
C++
4
star
41

knopaste

Knopaste is a Nopaste-System to paste files and sourcecode to a database in the internet for other people to read and fix it.
PHP
4
star
42

promcertcheck

Small monitoring tool to check URLs for their certificate validity with Prometheus endpoint
Go
4
star
43

go-latestver

Monitor a bunch of different sources of software in a single location using different kinds of fetchers, providing an API to have these information available in a single place and provide an UI to the user to look up versions easily
Go
4
star
44

cfg

My version of the popular dotfiles-repositories: Dotfiles, Scripts, basically my Homedir without some secret stuff stored in another repo… ;)
Python
4
star
45

go-metar

Go
3
star
46

preserve

Little HTTP server to preserve the presence of URLs
Go
3
star
47

gen-dockerfile

Replacement for the bash version of the generator using a proper templating engine
Go
3
star
48

waitfor

Utility to check the exit code of an command to be used within a shell command
Go
3
star
49

rust-server

Docker wrapper around Linux Game Server Managers for Rust
Dockerfile
3
star
50

kcalendar

Little javascript based calendar which is supposed to be a date-selector on websites.
JavaScript
3
star
51

tex-api

tex-api is a docker container being able to generate a PDF document from a LaTeX file and additional assets using a simple curl call.
Go
3
star
52

dockerproxy

[DEPRECATED] DockerProxy is a small application to shield HTTP exporting Docker containers.
Go
3
star
53

continuous-spark

Daemon intended to do continuous tests against a sparkyfish server
Go
3
star
54

duplicity-backup

Wrapper to execute a duplicity backup using a configuration file
Go
3
star
55

shareport

Kept simple self-hosted alternative to ngrok to share local development webservers through a remote SSH connection
Go
3
star
56

gh-private-dl

GH-PrivateDL is a Sparta project to create and deploy an AWS Lambda function which allows to curl a Github release asset from a private project
Go
2
star
57

automate-cookie-clicker

User-Script for Tampermonkey playing CookieClicker for me
JavaScript
2
star
58

dirsize

Simple helper utility to recursively calculate and display folder sizes.
Go
2
star
59

dns_check

dns_check is a small utility to check major DNS services for records of a FQDN without having to query them one-by-one
Go
2
star
60

nginx-letsencrypt

Go
2
star
61

share

S3 based file sharing as a replacement for CloudApp / Droplr / ...
Go
2
star
62

short_path

Small utility to shorten the current path for shell prompts
Go
2
star
63

QuickURLManager

A quick and simple bookmark-manager written in HTML for Adobe AIR with drag&drop support and more...
JavaScript
2
star
64

twitch-manager

Self-hosted Twitch-Overlay
Go
2
star
65

alarmclock

Simple google calendar based alarm clock written in node.js and intended to run on a Raspberry Pi
CoffeeScript
2
star
66

repo-template

Helper to generate files derived from Github repositories
Go
2
star
67

rss-status

Read-only bridge between RSS feeds and Mastodon / OStatus applications
Go
2
star
68

fitbit_exporter

Go
2
star
69

nginx-sso-auth-supercookie

Plugin for nginx-sso providing an additional authentication method through a "supercookie"
Go
2
star
70

ediplug_ctrl

ediplug_ctrl is a small webserver to wrap some amount of EdiPlug SP2101W smart plugs
Go
2
star
71

mercedes-byocar-exporter

Prometheus / InfluxDB exporter for the Mercedes Benz "Bring Your Own Car" (BYOCAR) API products
Go
2
star
72

kpwdmanagement

Tiny multi user password management with webbased interface
JavaScript
2
star
73

ipt-loadbalancer

Manager which health-checks given endpoints and generates a iptables DNAT/SNAT loadbalancer from active endpoints
Go
2
star
74

github-publish

This repository contains a set of build scripts to publish the build artifacts to Github.
Shell
1
star
75

workstation

Makefile
1
star
76

arch-update

Automatic update processing on Archlinux with options for unattended upgrades
Shell
1
star
77

vim

My VIM configuration including installed bundles managed by vundle
Vim Script
1
star
78

pg-workflowy

Phonegap wrapper for better WorkflowY-Display as in browser
1
star
79

update-gotools

Have a working environment set up with tools compiles from Go sources
Go
1
star
80

clean-github-branches

Tooling to clean up branches in Github repositories
Go
1
star
81

wasm-openssl

WASM wrapper around go-openssl to be used in Javascript projects
HTML
1
star
82

docker-php5-nginx

Shell
1
star
83

mondash-checkgpg

Watch over GPG keys uploaded to a keyserver and inform about their expiry using a MonDash dashboard
Go
1
star
84

jenkins-queue-check

Go
1
star
85

qrdisplay

Just a tiny interface to generate a QRCode in the browser
HTML
1
star
86

livecast

Vagrant / Masterless Puppet to create a podcast live streaming server from scratch…
Puppet
1
star
87

vault-user-token

This project is intended to constantly renew a Vault token derived from a role id
Go
1
star
88

go-holidays

Go
1
star
89

gpxhydrant

gpxhydrant is a small helper utility to map and update hydrants in OpenStreetMap
Go
1
star
90

dns

Setup for my own DNS server
Python
1
star
91

vault-unseal

This small utility is a helper to automatically unlock a Vault instance
Go
1
star
92

androcrypt

Small single-binary wrapper around my go-openssl library to perform de-/encrypt operations on an Android device
Go
1
star
93

project-status

Template for a SVG image to be embedded into the README file of a Github repository.
Makefile
1
star
94

radiopi

Go
1
star
95

named-blacklist

DNS blacklist generator to be used in combination with DNS Response Policy Zones in BIND 9.8+
Go
1
star
96

korvike

korvike takes a Go template and executes it
Go
1
star
97

local-functions

Opposite of Cloud-Functions: Run scripts on the local machine through HTTP calls
Go
1
star
98

backoff

Small CLI util wrapping `github.com/Luzifer/go_helpers/v2/backoff` to be used in shell scripts
Go
1
star
99

mqtt2influx

MQTT to InfluxDB transport
Python
1
star
100

gallery

Pure HTML/Javascript gallery viewer with an uploader written in Go
Go
1
star