[BBLISA] Systems for Organizing Shared Secrets

Edward Ned Harvey (bblisa4) bblisa4 at nedharvey.com
Fri Mar 28 07:03:02 EDT 2014 

> From: Neil Schelly [mailto:neil at jenandneil.com]
> 
> * I'm looking for something the is akin to a multi-user KeePassX-like database
> that lets us have users authenticate to the database, get access to only the
> secrets they should see, 

What I've used before - and I'm not absolutely in love with, but it works - is actually KeePass.  As follows:

Each user creates a personal repo using their windows credentials.  (So they don't have to enter a password; keepass is automatically authenticated because they're logged in as themselves.)  Inside there, you store a really long password, for a second keepass volume.  The point is, you break out all the credentials into groups for restricted access.  You have one "master" group, which contains the keys to all the other groups, and then, if you have an office in US and CA and GB, you have the separate US and CA and GB keepass repositories.  You give your US employees the key to the US repo, and so on.

Each user has the relevant keepass databases on their laptop/workstation.  And each one is configured to sync up with a keepass repo in a centralized network file store.

The only two or three things I didn't like about this setup were:

It was a little bit of a hassle to set up.  And the "triggers" to sync against the centralized server weren't very dynamic - The best we could do was automatically sync upon file open or save.  Some users would keep their keepass open all the time, and basically never change anything so basically never save, and therefore basically never sync to the server to download latest changes from other users.

The description I gave above sounds like using the system would be a hassle, but honestly, it wasn't.  I would right-click my keepass icon, and my personal repo.  And then I would select the entry for the master database, hit "Copy."  Then right-click my keepass icon, and the master repo.  Paste.  In all of 3 seconds and 5 mouse clicks, I'm securely strongly authenticated and synchronized.


> so that applications can access
> the credentials they may need.

Yeah - I'm not sure if that fits at all into the keepass world.


> * I'm also looking for an SSL key management tool, letting users and systems
> generate keys according to their permissions without having to know the CA
> passphrase, possibly integrated with some sort of HSM to further the
> encryption generators and protection of the keys.

I've certainly done this sort of thing in microsoft certificate server.  I think if you check alternativeto.com, or just google for free/open source alternatives to MS cert server, you should find something.  But the last I heard, the state of the world wasn't very good in that area.

More information about the bblisa mailing list