Secure Share is a One-Time Password (OTP) service: a lean, efficient solution, similar in concept to Snappass but optimized for ease of use and low resource consumption, with a total size of only 16MB. Designed to work out-of-the-box, it requires no initial configuration, making it ideal for quick deployments and hassle-free setup.
- Lean and Efficient with a minimal footprint.
- No initial configuration required. Start using it immediately after deployment.
- Flexible Storage Options:
- Redis Store: Secure Share offers integration with a Redis backend.
- In-Memory Store: for quick testing or simpler use cases, an in-memory store is available, requiring no external dependencies.
- Robust Encryption: Utilizes the Fernet encryption algorithm. The Fernet key is derived a UUID with
pbkdf2, ensuring that the secret and the key are never stored together. - Ephemeral Secrets: Combines the TTL feature of the Fernet algorithm with the TTL of the store, guaranteeing that secrets are truly ephemeral.
- Secure password generator.
Following the recommendations from OWASP the Fernet key is derived from a UUID, salted with a random sequence and passed to pbkdf2 using 600000 iterations.
Running the service is as straightforward as executing the following command in the root of the repository:
docker compose up -d --buildthen you can test the UI by connecting to localhost:8080.
Here are all the environment variables that can be used:
| Variable | Description | Default Value | Notes |
|---|---|---|---|
REDIS_ADDR |
The address for the Redis server (if using Redis store). | redis:6379 |
Used when connecting to a Redis instance. |
REDIS_DB |
The name of the Redis database to use (if using Redis store). | "0" |
As a string. |
REDIS_DPASSWORD |
The password of the Redis instance. | "" |
For the K8s deployment see the Helm chart example. |
BASE_URL |
The base URL of the service. | localhost:8080 |
Useful for constructing URLs in responses. |
STORE_BACKEND |
Type of storage backend to use (redis or in-memory). |
in-memory |
Choose redis for persistence, in-memory for simplicity. The in-memory store will reset if the container is restareted. |
DEBUG_MODE |
Toggles debug mode for additional logging. | false |
Set to true for verbose logging during development or troubleshooting. |
TITLE |
The title visible at the top of the page. | "Secure Share" |
Can be the name of the company. |
SUBTITLE |
The subtitle visible at the top of the page. | "Share short-lived secret that can be accessed only once." |
Can be the company tagline. |
TLS_ENABLED |
Toggles TLS. | false |
Set to true enables TLS. |
CERT_FILE |
The path of the TLS certificate. | "" |
|
KEY_FILE |
The path of the TLS key. | "" |
Secure Share comes with a Helm chart for Kubernetes deployment. To install the chart first add the repo:
helm repo add secure-share https://lorenzophys.github.io/secure-sharethen you can install Secure Share by running:
helm install <release-name> secure-share/secure-shareHere some configuration examples.
# ...
ingress:
enabled: false
config:
env:
STORE_BACKEND: "in-memory"
DEBUG_MODE: "true"
redis:
enabled: false# ...
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx"
hosts:
- host: secure-share.yourcompany.com
paths: ["/"]
config:
env:
BASE_URL: "secure-share.yourcompany.com"
STORE_BACKEND: "in-memory"
redis:
enabled: false# ...
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: "nginx"
hosts:
- host: secure-share.yourcompany.com
paths: ["/"]
config:
env:
REDIS_ADDR: "secure-share-redis-master.default.svc.cluster.local:6379"
BASE_URL: "secure-share.yourcompany.com"
STORE_BACKEND: "redis"
redisAuth:
secretName: "secure-share-redis"
secretKey: "redis-password"
redis:
enabled: true
auth:
password: "secretpassword" # Don't do thisElastiCache is the AWS managed Redis service. To setup this correctly you need to:
- create a subnet group and associate all the Kubernetes cluster subnets that you want to have access to Redis.
- create a SecurityGroup with an inbound rule that:
- allows
TCPinbound traffic on port 6379 (or your custom one if you want to use another port) - uses as source a SecurityGroup that allows traffic to you k8s cluster's subnets
- allows
- set the
REDIS_ADDRvariable equal to the endpoint of the master node
# ...
config:
env:
REDIS_ADDR: "secure-share-example-0001-001.something.0001.euw1.cache.amazonaws.com:6379"
BASE_URL: "secure-share.yourcompany.com"
STORE_BACKEND: "redis"
# redisAuth only if your cluster requires authentication and you have the credentials
# stored in a secret.
# redisAuth:
# secretName: "secure-share-redis"
# secretKey: "redis-password"
redis:
enabled: false # We want to use an existing clusterThis project is licensed under the MIT License - see the LICENSE file for details.