Show HN: I store my critical secrets and document, and communicate privately

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

Our great sponsors
  • SurveyJS - Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • portable-secret

    Better privacy without special software

    I think this is very cool, and from a cursory look you've made most of the right design choices (to the extent that the Web Crypto API allows).

    That being said, I think most security professionals (myself included!) aren't equipped to outright "crack" this kind of thing in just a few minutes, and most should know better than to think that their inability to do so implies soundness.

    With that in mind, here are some things I noticed (none of which represent an immediate break!)

    * You're using SHA-1 in your KDF. That's probably fine since PBKDF2 doesn't rely on the properties of SHA-1 that have been broken, but the Web Crypto API gives you better alternatives. You could switch it out for SHA2-256 here without any breakage to the rest of the scheme.

    * I'm not a JS expert, but I _think_ your encryption page might allow a confused user to reuse an IV[2]. Normally this wouldn't happen because the user would refresh or reload and trigger the `init` on page load, but it would probably be better to generate the IV on demand rather than having it wait in an HTML attribute.

    Again, very cool work! The fact that people can make these kinds of self-containing encrypted applications with Web APIs is a serious testament to how far the standards have progressed.

    [1]: https://github.com/mprimi/portable-secret/blob/3b22d2b42baf8...

    [2]: https://github.com/mprimi/portable-secret/blob/4de5e958fe6f8...

  • digi-cloak

    A web app that hides secrets in plain sight securely in images with the help of AES encryption and LSB steganography technique.

    > Prior art

    > I came up with Portable Secret on my own, but I have since found a few projects that do something similar.

    > https://github.com/kaushalmeena/digi-cloak

    > If you are aware of other similar projects, please let me know and I’ll link them here.

    Digi-Cloak appears to be an in-browser steganography tool, but this project looks more like an encrypted pastebin (e.g., PrivateBin [1]).

    [1] https://privatebin.info/

  • SurveyJS

    Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.

  • PrivateBin

    A minimalist, open source online pastebin where the server has zero knowledge of pasted data. Data is encrypted/decrypted in the browser using 256 bits AES.

    > Prior art

    > I came up with Portable Secret on my own, but I have since found a few projects that do something similar.

    > https://github.com/kaushalmeena/digi-cloak

    > If you are aware of other similar projects, please let me know and I’ll link them here.

    Digi-Cloak appears to be an in-browser steganography tool, but this project looks more like an encrypted pastebin (e.g., PrivateBin [1]).

    [1] https://privatebin.info/

  • html-vault

    Generates self-contained HTML files protecting secret text content.

    I wrote a similar software for the same reasons. One goal for mine was that the generated output is small enough to quickly verify that the code sent to the browser is the one you expect.

    https://github.com/dividuum/html-vault

  • rainbow-table

    Discontinued simple rainbow-table implementation in node.js

    Yeah, plus they even give hints to the password complexity, so unless that is a red herring, this should be pretty simple to crack, if not CPU consuming.

    Just combine https://github.com/mejdoubi/rainbow-table and their algorithm together. It would probably take me a few hours to put together, but for someone who is very familiar with cryptography, it would be minimal work.

  • otp

    Serverless Magic Links and Magic Codes for Auth (by celzero)

    Not just QR code, may be small enough secrets fit in a URL!

    See also the now defunct sharelock.io by Auth0: https://news.ycombinator.com/item?id=9109924

    For creating and later validating magic-links (using Web APIs), I encoded the IV, Salt, Cipher all in the URL as a single base64 token: https://github.com/celzero/otp/blob/cddaaa03f12f765fa8da9178...

    (Btw, reading through your code makes me wonder if I should pad the plaintext to match blocksize despite https://archive.is/NX7Y2)?

  • Fenix

    Discontinued ⚠️ Fenix (Firefox for Android) moved to a new repository. It is now developed and maintained as part of: https://github.com/mozilla-mobile/firefox-android

    On Android. It is a known issue which Mozilla don't seem to intend to fix: https://github.com/mozilla-mobile/fenix/issues/7546

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  • pass

    🔑 YubiKey-sealed Secrets-as-Code for git. (by mihaigalos)

    Age is amazing. I'm using a Yubikey in conjunction with it to encrypt {passwords, docs} and commit them to a private GitHub repo.

    See here if interested: https://github.com/mihaigalos/pass

  • crypter

    Crypto keys encryption tools (by doomhz)

    That's a really nicely finished portable tool with great security in mind. I've built something like this a couple of months ago, trying to make it compatible with the OpenSSL lib encryption algo in case my GH account disappears one day. I never got to image encryption part though. https://github.com/doomhz/crypter

  • dom-examples

    Code examples that accompany various MDN DOM and Web API documentation pages

  • encrypted-html-vault

    A utility for creating a secret vault inside an HTML file for maximum portability.

    I created something similar to this [1] a few years ago. Before the proliferation of web crypto apis, I just used a WASM’d libsodium. It adds some page weight but whatever…

    My use-case was for traveling, it seems like a good idea to have a backup photo of my passport and credit card in case I loose everything. Sure I could put it on Dropbox, but do I really want to log in to my entire Dropbox on someone else’s machine?

    Ironically, it has yet to be useful. Just a fun project inspired by the realization that you can base64 just about anything in an HTML document.

    1: https://github.com/ccorcos/encrypted-html-vault

  • OpenSSL

    TLS/SSL and crypto library

    GPG for sure, be very careful with "vim -x" as that's the only implementation of this (and I've found security issues in it before, it's frankly there for legacy compat).

    Annoyingly this uses AES-GCM (which is good!) but OpenSSL's command line tool can't cope with it: https://github.com/openssl/openssl/issues/12220

    It would be nice to have a command line tool to extract these files too, then you know the implementation is correct. (Blowing my own trumpet but my very old project paste.sh does this.)

  • isomorphic-webcrypto

    :game_die: webcrypto library for Node, React Native and IE11+

    https://en.wikipedia.org/wiki/Argon2

    > There is no reason not to use Argon2

    In this case, the reason for not using Argon2 is that it's not available: https://www.w3.org/TR/WebCryptoAPI/

    > Well if this product isn't for mass-market

    This is a demo for self-contained HTML encrypted secrets. Do with it what you want.

  • Vim

    The official Vim repository

    Make sure to read this before using vim for anything crypto related! To sum things up, the vim maintainers are totally ignorant on the topic of cryptography, but what's worse is that they are highly stubborn and refuse to accept their ignorance while ignoring valid criticism from people who do know.

    https://github.com/vim/vim/issues/638

  • vimcrypt2

    Advanced vim plugin to encrypt files with openssl

    i have my vim extension for the purpose of keeping some private notes: https://github.com/MoserMichael/vimcrypt2

    You don't have to re-enter the key during each save, the plugin keeps the key during the vim session in an encrypted form (encrypted with a temp key).

  • emergency-contacts

    A static website with your personal emergency contacts

    I did something similar in the past and called it emergency contacts [1]. Basically a encrypted json that can be decrypted online. I use it to store emergency contact information in case I got stranded without any own device at hand.

    [1]: https://github.com/jwillmer/emergency-contacts

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts