Password Pusher uses the AES-GCM algorithm to encrypt sensitive data in the database. To ensure the security of your instance, you can set a custom encryption key for each application instance.

Encryption Key

Note: The following documentation explains how to generate and set a custom encryption key for self-hosted instances of the application.

Setting a Custom Encryption Key

To set a custom encryption key, set the environment variable PWPUSH_MASTER_KEY:

PWPUSH_MASTER_KEY=0c110f7f8d93d2123f36debf8a24bf835f33f248681714776b336849b801f693

Generating a New Encryption Key

You can generate a new encryption key using the helper tool or through the command line in the application source using Lockbox.generate_key.

Helper Tool

The helper tool is available on pwpush.com and generates a new key on every page load.

Manually Generating a Key

Alternatively, you can generate a key locally using the following methods:

Docker

To generate a key using Docker, follow these steps:

  1. Open an application console using the instructions in Application Console.
  2. Run the following command: 
    Lockbox.generate_key

From Source

To generate a key from the source directory, follow these steps:

  1. Run the following commands: 
    bundle
bin/pwpush console
  2. Inside the application console, run the following command: 
    Lockbox.generate_key

Notes

  • If no encryption key is provided, a default key will be used.
  • For maximum security, it is recommended to use your own custom encryption key.
  • If you choose to use the default key, keep your instance secure and set short push expirations (e.g., 1 day/1 view) to minimize the risk.
  • Once a push expires, all encrypted data is deleted.
  • Changing an encryption key where old pushes already exist will make those older pushes unreadable. New pushes going forward will work fine.

Updated: