Home

Awesome

<p align="center"> <img width="100px" src="https://github.com/smallwat3r/shhh/blob/master/shhh/static/img/logo.png" /> </p> <p align="center">Keep secrets out of emails and chat logs.</p> <p align="center"> <a href="https://codecov.io/gh/smallwat3r/shhh" rel="nofollow"><img src="https://codecov.io/gh/smallwat3r/shhh/branch/master/graph/badge.svg" style="max-width:100%;"></a> <a href="https://codeclimate.com/github/smallwat3r/shhh/maintainability" rel="nofollow"><img src="https://api.codeclimate.com/v1/badges/f7c33b1403dd719407c8/maintainability" style="max-width:100%;"></a> <a href="https://github.com/smallwat3r/shhh/blob/master/LICENSE" rel="nofollow"><img src="https://img.shields.io/badge/License-MIT-green.svg" style="max-width:100%;"></a> </p>

What is it?

Shhh is a tiny Flask app to create encrypted secrets and share them securely with people. The goal of this application is to get rid of plain text sensitive information into emails or chat logs.

Shhh is deployed here (temporary unavailable until new deployment solution), but it's better for organisations and people to deploy it on their own personal / private server for even better security. You can find in this repo everything you need to host the app yourself.

Or you can one-click deploy to Heroku using the below button. It will generate a fully configured private instance of Shhh immediately (using your own server running Flask behind Gunicorn and Nginx, and your own PostgreSQL database). You can see the Heroku configuration files here.

Deploy (see here to initiate the db tables after deploying on Heroku)

Also, checkout shhh-cli, a Go client to interact with the Shhh API from the command line.

How does it work?

The sender has to set an expiration date along with a passphrase to protect the information he wants to share.

A unique link is generated by Shhh that the sender can share with the receiver in an email, alongside the temporary passphrase he created in order to reveal the secret.

The secret will be permanently removed from the database as soon as one of these events happens:

The secrets are encrypted in order to make the data anonymous, especially in the database, and the passphrases are not stored anywhere.

Encryption method used: Fernet with password, random salt value and strong iteration count (100 000).

Tip: for better security, avoid writing any info on how/where to use the secret you're sharing (like urls, websites or emails). Instead, explain this in your email or chat, with the link and passphrase generated from Shhh. So even if someone got access to your secret, there is no way for the attacker to know how and where to use it.

Is there an API?

Yes, you can find some doc here.

How to launch Shhh?

These instructions are for development purpose only. For production use you might want to use a more secure configuration.

Deps

The application will use the development env variables from /environments/dev-docker-postgres.env.

Docker

From the root of the repository, run

make dc-start          # to start the app 
make dc-start-adminer  # to start the app with adminer (SQL editor)
make dc-stop           # to stop the app

Once the container image has finished building and has started, you can access:

You can find the development database credentials from the env file at /environments/dev-docker-postgres.env.

You have also the option to use MySQL instead of PostgreSQL, using these commands:

make dc-start-mysql          # to start the app
make dc-start-adminer-mysql  # to start the app with adminer (SQL editor)
make dc-stop-mysql           # to stop the app

Migrations

Run the migrations using:

make db c='upgrade'

If deployed on Heroku, you can run the migrations using:

heroku run --app=<heroku-app-name> python3 -m flask db upgrade

This will ensure the necessary tables are created and up-to-date in the database, and make sure your deployed Shhh application works as expected.

You can write a revision using:

make db c='revision "my revision"'

Development tools

You can run tests and linting / security reports using the Makefile.

Make sure you have make, docker, yarn, and a version of Python 3.12 installed on your machine.

Tests, linting, security tools do not run from the Docker container, so you need to have a Python virtual environment configured locally.

You can do so with the following command:

make venv deps

The following command will display all the commands available from the Makefile:

make help

Environment variables

Bellow is the list of environment variables used by Shhh.

Mandatory

Depending if you can use PostgreSQL or MySQL you might also need to set (these need to match the values you've specified as DB_NAME, DB_PASSWORD and DB_NAME above):

or

Optional

License

See LICENSE file.

Contact

Please report issues or questions here.

Buy me a coffee