• Stars
    star
    31
  • Rank 820,005 (Top 17 %)
  • Language
    Ada
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated 2 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Ada Keystore - protect your sensitive data with secure storage

Ada Keystore

Alire Build Status Test Status Coverage Documentation Status Download License Commits GitLab semver

TL;DR

AKT is a tool to store and protect your sensitive information and documents by encrypting them in secure keystore (AES-256, HMAC-256).

Create the keystore and protect it with a gpg public key:

   akt create secure.akt --gpg <keyid> ...

Store a small content:

   akt set secure.akt bank.password 012345

Store files, directory or a tar file:

   akt store secure.akt notes.txt
   akt store secure.akt contract.doc
   akt store secure.akt directory
   tar czf - . | akt store secure.akt -- backup

Edit a content with your $EDITOR:

   akt edit secure.akt bank.password
   akt edit secure.akt notes.txt

Get a content:

   akt get secure.akt bank.password
   akt extract secure.akt contract.doc
   akt extract secure.akt -- backup | tar xzf -

Mount the keystore:

   akt mount secure.akt /mnt
   # access the keystore content in /mnt
   umount /mnt

Store a new OTP secret:

   akt otp secure.akt otpauth://totp/GitHub:...

Generate the TOTP code:

   akt otp secure.akt GitHub

Version 1.4.0 - Jul 2023

  • Feature #15: Authenticator with TOTP support
  • Fix #16: Support to build with -gnatW8
  • Fix #17: Test with corrupted data block sometimes dump the corrupted data
  • New genkey and otp commands

List all versions

Overview

Ada Keystore is a tool and library to store information in secure wallets and protect the stored information by encrypting the content. It is necessary to know one of the wallet password to access its content. Ada Keystore can be used to safely store passwords, credentials, bank accounts and even documents.

Wallets are protected by a master key using AES-256 and the wallet master key is protected by a user password. The wallet defines up to 7 slots that identify a password key that is able to unlock the master key. To open a wallet, it is necessary to unlock one of these 7 slots by providing the correct password. Wallet key slots are protected by the user's password and the PBKDF2-HMAC-256 algorithm, a random salt, a random counter and they are encrypted using AES-256.

Values stored in the wallet are protected by their own encryption keys using AES-256. A wallet can contain another wallet which is then protected by its own encryption keys and passwords (with 7 independent slots). Because the child wallet has its own master key, it is necessary to known the primary password and the child password to unlock the parent wallet first and then the child wallet.

AKT Overview

The data is organized in blocks of 4K whose primary content is encrypted either by the wallet master key or by the entry keys. The data block is signed by using HMAC-256. A data block can contain several values but each of them is protected by its own encryption key. Each value is also signed using HMAC-256.

The tool is able to separate the data blocks from the keys and use a specific file to keep track of keys and one or several files for the data blocks. When data blocks are separate from the keys, it is possible to copy the data files on other storages without exposing any key used for encryption. The data storage files use the .dkt extension and they are activated by using the -d data-path option.

Using Ada Keystore Tool

The akt tool is the command line tool that manages the wallet. It provides the following commands:

  • config: setup some global configuration
  • create: create the keystore
  • edit: edit the value with an external editor
  • extract: get a value from the keystore
  • genkey: generate or manage named keys
  • get: get a value from the keystore
  • help: print some help
  • info: print information about the keystore
  • list: list values of the keystore
  • mount: mount the keystore on the filesystem for a direct access
  • otp: generate a one time password or manage OATH secrets
  • password-add: add a password
  • password-remove: remove a password
  • password-set: change the password
  • remove: remove values from the keystore
  • set: insert or update a value in the keystore
  • store: insert or update a value in the keystore

Simple usage

To create the secure file, use the following command and enter your secure password (it is recommended to use a long and complex password):

   akt create secure.akt

At this step, the secure file is created and it can only be opened by providing the password you entered. To add something, use:

   akt set secure.akt bank.password 012345

To store a file, use the following command:

   akt store secure.akt contract.doc

If you want to retrieve a value, you can use one of:

   akt get secure.akt bank.password
   akt extract secure.akt contract.doc

The store and extract commands are intended to be used to store and extract files produced by other tools such at .IR tar (1). For example, the output produced by .I tar can be stored using the following command:

   tar czf - . | akt store secure.akt -- backup.tar.gz

And it can be extracted by using the following command:

   akt extract secure.akt -- backup.tar.gz | tar xzf -

Advanced usage

Even though the encryption keys are protected by a password, it is sometimes useful to avoid exposing them and keep them separate from the data blocks. This is possible by using the -d data-path option when the keystore file is created. When this option is used, the data blocks are written in one or several storage files located in the directory. To use this, create the keystore as follows:

   akt create secure.akt -d data

Then, you can do your backup by using:

   tar czf - . | akt store secure.akt -d data -- backup.tar.gz

The tool will put in secure.akt all the encryption keys and it will create in the data directory the files that contain the data blocks. You can then copy these data blocks on a backup server. They don't contain any encryption key. Because each 4K data block is encrypted by its own key, it is necessary to know all the keys to be able to decrypt the full content. The secure.akt file is the only content that contains encryption keys.

Using GPG to protect the keystore

You can use GPG to lock/unlock the keystore. To do this, you have to use the --gpg option and giving your own GPG key identifier (or your user's name).

   akt create secure.akt -d data --gpg your-gpg-key-id

You can also share the keystore with someone else provided you know and trust the foreign public key. To do that, you can create the keystore and defined the GPG key for each user you want to share the keystore:

   akt create secure.akt -d data --gpg user1-key user2-key user3-key

To unlock the keystore, GPG will use the private key.

Mounting the keystore on the filesystem

The keystore content can be mounted as a filesystem so that the encrypted content are directly available to existing application as regular files. The mount command starts the fuse daemon and puts the command as a background fuse daemon to serve as a fuse filesystem and make the content visible through the mount point.

   akt mount secure.akt /mnt

To unmount the filesystem, you must use the umount command.

   umount /mnt

Sometimes, you may have to force the umount by running:

   sudo umount /mnt

AKT Debian Binaries

Ubuntu 22.04 and Debian 12 packages are available to help you install the akt command more easily. You can configure your Ubuntu system as follows:

wget -qO- https://apt.vacs.fr/apt.vacs.fr.gpg.asc | sudo tee /etc/apt/trusted.gpg.d/vacs_fr.asc
# For Ubuntu 22.04, use:
sudo add-apt-repository "deb https://apt.vacs.fr/ubuntu-jammy jammy main"
# For Debian 12, use:
sudo add-apt-repository "deb https://apt.vacs.fr/debian-bookworm bookworm main"

And then install the akt package:

sudo apt-get install akt

Building Ada Keystore

To build the Ada Keystore you will need the GNAT Ada compiler, either the FSF version available in Debian, FreeBSD systems NetBSD or the AdaCore GNAT Community 2019 edition.

Development Host Installation

Ubuntu

Install the following packages:

sudo apt-get install -y make gnat-7 gprbuild git gnupg2

FreeBSD 13

Install the following packages:

pkg install gmake gnat12 gprbuild gnupg

Windows

Get the Ada compiler from AdaCore Download site and install.

Install the following packages:

pacman -S git
pacman -S make
pacman -S base-devel --needed

Getting the sources

The project uses a sub-module to help you in the integration and build process. You should checkout the project with the following commands:

   git clone --recursive https://gitlab.com/stcarrez/ada-keystore.git
   cd ada-keystore

Configuration

To configure Ada Keystore, use the following command:

   ./configure

The GTK application is not compiled by default unless to configure with the --enable-gtk option. Be sure to install the GtkAda library before configuring and building the project.

   ./configure  --enable-gtk

Build

Then, build the application:

   make

And install it:

   make install

Docker

A docker container is available for those who want to try AKT without installing and building the required Ada packages. To use the AKT docker container you can run the following commands:

   docker pull ciceron/ada-keystore
   docker run -i -t --entrypoint /bin/bash ciceron/ada-keystore
   root@...:/usr/src# akt create secure.akt
   root@...:/usr/src# akt set secure.akt something some-secret
   root@...:/usr/src# akt get secure.akt something

Documents

Presentations

References

More Repositories

1

ada-awa

Ada Web Application - Framework to build high performance secure web applications
Ada
93
star
2

ada-util

Ada Utility Library - Composing streams, processes, logs, serialization, encoders and more
Ada
69
star
3

sql-benchmark

Tool to make SQL benchmark on different drivers, languages and databases
Ada
31
star
4

swagger-ada

Ada support for OpenAPI code generator
Ada
27
star
5

ada-ado

Ada Database Objects
Ada
25
star
6

ada-security

Ada Security - OAuth 2.0 client and server framework to secure web applications
Ada
22
star
7

ada-enet

Ada Embedded Network Stack
Ada
21
star
8

ada-wiki

Ada Wiki Engine - Wiki parser and renderer with several Wiki syntaxes
Ada
19
star
9

etherscope

Ethernet traffic monitor on a STM32F746 board
Ada
17
star
10

dynamo

Dynamo Ada Application Code Generator
Ada
17
star
11

ada-asf

Ada Server Faces - Web Server Faces JSR 252, JSR 314 and JSR 344
Ada
12
star
12

resource-embedder

ARE - Advanced Resource Embedder include files, scripts, images in Ada, C, Go binaries
Ada
10
star
13

ada-search

Ada
9
star
14

ada-bfd

Ada BFD is an Ada binding for the GNU Binutils BFD library. It allows to read binary ELF, COFF files by using the GNU BFD.
Ada
8
star
15

swagger-ada-todo

Simple todo list server with OpenAPI
Ada
8
star
16

ada-el

Ada EL - Expression Language Library (JSR245)
Ada
7
star
17

ada-servlet

Ada Servlet - Web Servlet Library following JSR 154, JSR 315
Ada
7
star
18

atlas

AWA Demonstrator
TSQL
7
star
19

ada-css

Ada parser for CSS files with CSS Object Model API
Ada
6
star
20

ada-lzma

Ada binding for liblzma compression library
Ada
6
star
21

mat

Memory Analysis Tool
Ada
6
star
22

ada-stemmer

Multi natural language stemmer with Snowball generator
Ada
4
star
23

stm32-ui

STM32 UI library and tools
Ada
4
star
24

ada-rest-api-server-benchmark

Benchmark for REST api on Ada servers
Ada
3
star
25

jason

Project and ticket management
Ada
3
star
26

bbox-ada-api

Ada Binding for the Bbox API
Ada
3
star
27

wi2wic

Wiki 2 Wiki Converter
Ada
2
star
28

hestia

Heat Controller
Ada
2
star
29

ada-mail

Mail tools
Ada
2
star
30

ada-libsecret

Ada Binding for the libsecret library
Ada
2
star
31

babel

Babel Backup
Ada
1
star
32

ada-awe

Automatically exported from code.google.com/p/ada-awe
Ada
1
star
33

helios

Helios Fast Reliable Monitoring Agent
Ada
1
star
34

awa-alire-index

1
star
35

xcra

Automatically exported from code.google.com/p/xcra
C++
1
star