This was built to address a couple of use cases
- Sending password-protected documents/zip files to clients and then sending additional messages with clear text passwords - these could both end up staying in the clients' inbox or slack messages indefinitely giving anyone (now or in the future) access to those files.
- Sending / Receiving environment credentials from vendors/service providers
- Sending vendors/service providers debug information which includes sensitive information.
- Differing password managers - You need to send or receive a password but your contact uses LastPass and you use 1password.
I also wanted to look into end-to-end encryption to see how other services make the "even we can't decrypt it" claim.
I wanted this to be low-cost and scalable so I have as little maintenance overhead as possible. I've built this using AWS and the following services
- S3 - A few different buckets - one for hosting the static site and another for holding the secrets
- Lambda - handles storing, retrieving and deleting the secrets
- CloudFront - handles serving the static site and routing the requests to the appropriate Lambda function.
These 3 services require no intervention from me and should scale as much as they require. Also, as there is no "always-on" application or database server, billing should be small as I'll only be charged for storage and actual execution time (there are a couple of other billable bits but they are all relatively small).
Now I'd love to stick on analytics so I can see how many people are using this, but, given the sensitive nature of the information and in the interest of privacy, I've decided against installing analytics.
AWS does record some statistics, i.e. the number of executions of each lambda function, CloudFront access logs (i.e. IP address and URL requested), so this is what I'll be relying on to give me an idea of usage. The numbers won't be entirely accurate due to things like trying to retrieve a secret for the 2nd time or errors due to bad copy and pasting of the URL, which all count as executions, but it will give me a rough ballpark figure.
Soon I'm hoping to complete an MVP of another project (Statisfy - https://twitter.com/getstatisfy) and use it to create a public dashboard of aggregated stats (number of passwords stored/retrieved etc) and make this available on Password Angel so anyone interested can see the usage.
Give it a try
I'd love it if you would give it a try, let me know how you get on and if you would use it, if not, why not etc. Any feedback is greatly appreciated.