Secure and comfortable management of secrets

ProLock is a small utility to manage secrets.

Motivation

There are some secrets that I do not want to manage in any browser, like the ones for my bank accounts.

And last not least: because I can...

File access

ProLock only reads and writes to a single, user-specific file (~/.prolock/secrets). It does not interact with any cloud service etc. It has safety measures to detect concurrent changes to the file.

UI

ProLock comes with a UI to manage the secrets conveniently. the ProLock UI supports currently English and German languages; other languages can easily be added.

Technical details

Data model

The data model consists of Entrys, each of which has

• an unprotected section consisting of a unique name and an optional description
• a protected section with 1 to 4 credentials, each of which consists of a name and a secret.

File format

The file contains

• some readable file header
  • helps managing the file format correctly and detecting concurrent changes
• a readable data part
  • showing the unprotected sections of the Entries
  • being also used as authentication tag for the encryption of the protected part (see below), which ensures that opening the file is only possible if the readable data part was not modified.
• some ciphertext, which is a serialization of the ChaCha20Poly1305-encrypted content of the protected sections of the Entries.
  • the key for the encryption is derived from a user-given password using pbkdf2.
  • a new initialization vector for the encryption is diced with every file update
  • the encrypted data starts additionally with some random one-off String, to avoid any attack surface if the protected data set is very small.