[Security] One Time Secret using cryptgeon

cryptgeon is a secure, open source note / file sharing service inspired by PrivNote written in rust & svelte.

Source: Cryptgeon

In the earlier days, people used pigeon to share the messages from one location to other location, however in today’s era the data is transferred over to the network and cryptgeon is one of the amazing tool to share your secrets.

Use case:

1. We share a lot of service user credentials, api keys over the network using MS Teams, slack in a plain text format, and those passwords remain there for forever until or unless deleted manually.
2. We never know, if the secret has been viewed by someone else or not.

Solution: Cryptgeon 🕊️

Open source solution, written in rust and svelte. The tool contains the server, web page, and cli client and source code can be found here.

Features:

1. Security: As the encryption happens at the client side, so the server won’t be able to decrypt the message.
2. Message type: It can be a file or a text.
3. Number of views: A limit on secret or file can be set, so that it will expire after viewing it by that time.
4. Custom Password: A password can also be added to unlock the link content.
5. Time limit: A time limit can also be set for the link validity.
6. Theme: It has a dark as well as light theme, and can be easily switched based on preference.

How does it work?

Each note has a generated id (256bit) and key 256(bit). The id is used to save & retrieve the note. the note is then encrypted with aes in gcm mode on the client side with the key and then sent to the server. data is stored in memory and never persisted to disk. the server never sees the encryption key and cannot decrypt the contents of the notes even if it tried to.

How to install?

The author has provided a docker-compose.yml file to configure the options manually,

# docker-compose.yml
# Source: https://github.com/cupcakearmy/cryptgeon

version: '3.8'

services:
  redis:
    image: redis:7-alpine
    # Set a size limit. See link below on how to customise.
    # https://redis.io/docs/manual/eviction/
    # command: redis-server --maxmemory 1gb --maxmemory-policy allkeys-lru

  app:
    image: cupcakearmy/cryptgeon:latest
    depends_on:
      - redis
    environment:
      # Size limit for a single note.
      SIZE_LIMIT: 4 MiB
    ports:
      - 80:8000

    # Optional health checks
    # healthcheck:
    #   test: ["CMD", "curl", "--fail", "http://127.0.0.1:8000/api/live/"]
    #   interval: 1m
    #   timeout: 3s
    #   retries: 2
    #   start_period: 5s

Or, the image can be used from Dockerhub and can be pulled using docker.

docker pull cupcakearmy/cryptgeon

How to use?

Add your secret message in the text box and click Create .

It will share the link, that can be shared over Slack or MS Teams .

And, this link is accessible only once. Share the link with your team member. Once the link is accessed, it will show the below window:

Click on show note to see the message.

And, here is your secret message, password or api. Try to access the link again.

And, note is deleted. So, if someone hack the link while sharing, the sender and receiver will know that it has been hacked as it is one time viewable and rotate their password or keys.

We are using internally for sharing the service user credentials or the links internally to enhance the security.

Thank you for reading the article. ❤