Application Encryption

Password Pusher uses the AES-GCM algorithm to encrypt sensitive data in the database. To ensure the security of your instance, you can set a custom encryption key for each application instance.

Encryption Key

Note: The following documentation explains how to generate and set a custom encryption key for self-hosted instances of the application.

Setting a Custom Encryption Key

To set a custom encryption key, set the environment variable PWPUSH_MASTER_KEY:

PWPUSH_MASTER_KEY=0c110f7f8d93d2123f36debf8a24bf835f33f248681714776b336849b801f693

Generating a New Encryption Key

You can generate a new encryption key using the helper tool or through the command line in the application source using Lockbox.generate_key.

Helper Tool

The helper tool is available on pwpush.com and generates a new key on every page load.

Manually Generating a Key

Alternatively, you can generate a key locally using the following methods:

Docker

To generate a key using Docker, follow these steps:

Open an application console using the instructions in Application Console.
Run the following command:
```
Lockbox.generate_key
```

From Source

To generate a key from the source directory, follow these steps:

Run the following commands:
```
bundle
bin/pwpush console
```
Inside the application console, run the following command:
```
Lockbox.generate_key
```

Notes

If no encryption key is provided, a default key will be used.
For maximum security, it is recommended to use your own custom encryption key.
If you choose to use the default key, keep your instance secure and set short push expirations (e.g., 1 day/1 view) to minimize the risk.
Once a push expires, all encrypted data is deleted.
Changing an encryption key where old pushes already exist will make those older pushes unreadable. New pushes going forward will work fine.

Secret Key Base

The SECRET_KEY_BASE environment variable sets a secret key that is used for various security-related features, including session cookie encryption and other cryptographic operations.

Note: This is different from PWPUSH_MASTER_KEY which handles in DB encryption.

Generating

If you are getting logged out on every deploy, set this environment variable to a random string in your environment.

You can generate a new string by getting running ./bin/pwpush secret. In the Docker container, the full path would be /opt/PasswordPusher/bin/pwpush secret.

This will output a new, random generated string:

$) bin/pwpush secret
f7af32f6f51fff9df4e0ae9dd127a6588ab07d0988bd805ba5e650cb5399z30cc225aec2848c9c763549c31260203a751601e7ef28c2b7aa353ee533644c0d05
$) bin/pwpush secret
df04f112ff508f8f8aa92e942ffb0ed8b252cbd9ae59fadc7b69e1d3190439796e62f20c7b431ae1285682857183fb55c567223210b98a7558de6975499468b6
$) bin/pwpush secret
7ea591173da2443a65a3d601c3876fb63c3b75855e54a61dfc0bacd64d7748450d176c8b15218c6d11fa244a26a6d0c0214485e9356458606f075d002a503289

Set the SECRET_KEY_BASE environment variable for your application to keep consistently signed cookies through deploys.