Application Encryption
Password Pusher uses the AES-GCM algorithm to encrypt sensitive data in the database. To ensure the security of your instance, you can set a custom encryption key for each application instance.
Encryption Key
Note: The following documentation explains how to generate and set a custom encryption key for self-hosted instances of the application.
Setting a Custom Encryption Key
To set a custom encryption key, set the environment variable PWPUSH_MASTER_KEY
:
PWPUSH_MASTER_KEY=0c110f7f8d93d2123f36debf8a24bf835f33f248681714776b336849b801f693
Generating a New Encryption Key
You can generate a new encryption key using the helper tool or through the command line in the application source using Lockbox.generate_key
.
Helper Tool
The helper tool is available on pwpush.com and generates a new key on every page load.
Manually Generating a Key
Alternatively, you can generate a key locally using the following methods:
Docker
To generate a key using Docker, follow these steps:
- Open an application console using the instructions in Application Console.
- Run the following command:
Lockbox.generate_key
From Source
To generate a key from the source directory, follow these steps:
- Run the following commands:
bundle bin/pwpush console
- Inside the application console, run the following command:
Lockbox.generate_key
Notes
- If no encryption key is provided, a default key will be used.
- For maximum security, it is recommended to use your own custom encryption key.
- If you choose to use the default key, keep your instance secure and set short push expirations (e.g., 1 day/1 view) to minimize the risk.
- Once a push expires, all encrypted data is deleted.
- Changing an encryption key where old pushes already exist will make those older pushes unreadable. New pushes going forward will work fine.