Awesome
Ada Keystore
TL;DR
AKT is a tool to store and protect your sensitive information and documents by encrypting them in secure keystore (AES-256, HMAC-256).
Create the keystore and protect it with a gpg public key:
akt create secure.akt --gpg <keyid> ...
Store a small content:
akt set secure.akt bank.password 012345
Store files, directory or a tar file:
akt store secure.akt notes.txt
akt store secure.akt contract.doc
akt store secure.akt directory
tar czf - . | akt store secure.akt -- backup
Edit a content with your $EDITOR:
akt edit secure.akt bank.password
akt edit secure.akt notes.txt
Get a content:
akt get secure.akt bank.password
akt extract secure.akt contract.doc
akt extract secure.akt -- backup | tar xzf -
Mount the keystore:
akt mount secure.akt /mnt
# access the keystore content in /mnt
umount /mnt
Store a new OTP secret:
akt otp secure.akt otpauth://totp/GitHub:...
Generate the TOTP code:
akt otp secure.akt GitHub
Version 1.4.1 - Sep 2024
- Cleanup build environment to drop configure
- Fix #21: list command limit 50
- Fix #24: Cannot add a GPG user on a keystore having a password
Overview
Ada Keystore is a tool and library to store information in secure wallets and protect the stored information by encrypting the content. It is necessary to know one of the wallet password to access its content. Ada Keystore can be used to safely store passwords, credentials, bank accounts and even documents.
Wallets are protected by a master key using AES-256 and the wallet master key is protected by a user password. The wallet defines up to 7 slots that identify a password key that is able to unlock the master key. To open a wallet, it is necessary to unlock one of these 7 slots by providing the correct password. Wallet key slots are protected by the user's password and the PBKDF2-HMAC-256 algorithm, a random salt, a random counter and they are encrypted using AES-256.
Values stored in the wallet are protected by their own encryption keys using AES-256. A wallet can contain another wallet which is then protected by its own encryption keys and passwords (with 7 independent slots). Because the child wallet has its own master key, it is necessary to known the primary password and the child password to unlock the parent wallet first and then the child wallet.
The data is organized in blocks of 4K whose primary content is encrypted either by the wallet master key or by the entry keys. The data block is signed by using HMAC-256. A data block can contain several values but each of them is protected by its own encryption key. Each value is also signed using HMAC-256.
The tool is able to separate the data blocks from the keys and use
a specific file to keep track of keys and one or several files for
the data blocks. When data blocks are separate from the keys, it is
possible to copy the data files on other storages without exposing
any key used for encryption. The data storage files use the .dkt
extension and they are activated by using the -d data-path
option.
Using Ada Keystore Tool
The akt
tool is the command line tool that manages the wallet.
It provides the following commands:
config
: setup some global configurationcreate
: create the keystoreedit
: edit the value with an external editorextract
: get a value from the keystoregenkey
: generate or manage named keysget
: get a value from the keystorehelp
: print some helpinfo
: print information about the keystorelist
: list values of the keystoremount
: mount the keystore on the filesystem for a direct accessotp
: generate a one time password or manage OATH secretspassword-add
: add a passwordpassword-remove
: remove a passwordpassword-set
: change the passwordremove
: remove values from the keystoreset
: insert or update a value in the keystorestore
: insert or update a value in the keystore
Simple usage
To create the secure file, use the following command and enter your secure password (it is recommended to use a long and complex password):
akt create secure.akt
At this step, the secure file is created and it can only be opened by providing the password you entered. To add something, use:
akt set secure.akt bank.password 012345
To store a file, use the following command:
akt store secure.akt contract.doc
If you want to retrieve a value, you can use one of:
akt get secure.akt bank.password
akt extract secure.akt contract.doc
The store
and extract
commands are intended to be used to store
and extract files produced by other tools such at
.IR tar (1). For example, the output produced by
.I tar
can be stored using the following command:
tar czf - . | akt store secure.akt -- backup.tar.gz
And it can be extracted by using the following command:
akt extract secure.akt -- backup.tar.gz | tar xzf -
Advanced usage
Even though the encryption keys are protected by a password,
it is sometimes useful to avoid exposing them and keep them separate
from the data blocks. This is possible by using the -d data-path
option when the keystore file is created. When this option is used,
the data blocks are written in one or several storage files located
in the directory. To use this, create the keystore as follows:
akt create secure.akt -d data
Then, you can do your backup by using:
tar czf - . | akt store secure.akt -d data -- backup.tar.gz
The tool will put in secure.akt
all the encryption keys and it will
create in the data
directory the files that contain the data blocks.
You can then copy these data blocks on a backup server. They don't contain
any encryption key. Because each 4K data block is encrypted by its own
key, it is necessary to know all the keys to be able to decrypt the full
content. The secure.akt
file is the only content that contains
encryption keys.
Using GPG to protect the keystore
You can use GPG to lock/unlock the keystore. To do this, you have
to use the --gpg
option and giving your own GPG key identifier
(or your user's name).
akt create secure.akt -d data --gpg your-gpg-key-id
You can also share the keystore with someone else provided you know and trust the foreign public key. To do that, you can create the keystore and defined the GPG key for each user you want to share the keystore:
akt create secure.akt -d data --gpg user1-key user2-key user3-key
To unlock the keystore, GPG will use the private key.
Mounting the keystore on the filesystem
The keystore content can be mounted as a filesystem so that the
encrypted content are directly available to existing application
as regular files. The mount
command starts the fuse daemon
and puts the command as a background fuse daemon to serve as
a fuse filesystem and make the content visible through the
mount point.
akt mount secure.akt /mnt
To unmount the filesystem, you must use the umount
command.
umount /mnt
Sometimes, you may have to force the umount by running:
sudo umount /mnt
AKT Debian Binaries
Ubuntu 22.04 and Debian 12 packages are available to help you install the akt
command
more easily. You can configure your Ubuntu system as follows:
wget -qO- https://apt.vacs.fr/apt.vacs.fr.gpg.asc | sudo tee /etc/apt/trusted.gpg.d/vacs_fr.asc
# For Ubuntu 22.04, use:
sudo add-apt-repository "deb https://apt.vacs.fr/ubuntu-jammy jammy main"
# For Debian 12, use:
sudo add-apt-repository "deb https://apt.vacs.fr/debian-bookworm bookworm main"
And then install the akt
package:
sudo apt-get install akt
Building Ada Keystore
To build the Ada Keystore you will need the GNAT Ada compiler as well as the Alire package manager.
Development Host Installation
Ubuntu
Install the following packages:
sudo apt-get install -y make gnat gprbuild git gnupg2 alr
FreeBSD 13
Install the following packages:
pkg install gmake gprbuild gnat12 git gnupg alire
Windows
Get the Alire package manager Alire site and install.
Install the following packages:
pacman -S git
pacman -S make
pacman -S base-devel --needed
Getting the sources
You should checkout the project with the following commands:
git clone https://gitlab.com/stcarrez/ada-keystore.git
cd ada-keystore
Build
Build the application:
make
And install it:
make install
Docker
A docker image is available for those who want to try AKT without installing and building the required Ada packages. To use the AKT docker image you can run the following commands:
docker pull ciceron/akt
docker run -i -t --entrypoint /bin/bash ciceron/akt
root@...:/usr/src# akt create secure.akt
root@...:/usr/src# akt set secure.akt something some-secret
root@...:/usr/src# akt get secure.akt something
Note: another docker image ciceron/ada-keystore
is also provided with akt
as well as Ada Keystore and the GNAT compiler.
Documents
- Ada Keystore Guide PDF
- Man page: akt (1)
Presentations
- AKT un outil pour sécuriser vos données et documents sensibles Paris Open Source Summit 2019
- Protect Sensitive Data with Ada Keystore Ada devroom FOSDEM 2020
References
- RFC8018: PKCS #5: Password-Based Cryptography Specification Version 2.1
- Meltem Sönmez Turan, Elaine Barker, William Burr, and Lily Chen. "NIST SP 800-132, Recommendation for Password-Based Key Derivation Part 1: Storage Applications" (PDF). www.nist.gov.
- FIPS PUB 198-1, The Keyed-Hash Message Authentication Code (HMAC)
- FIPS PUB 197, Advanced Encryption Standard (AES)