So here’s the deal at my day gig. I’m sure you all have something similar. There are a number of shared service account, or web portal passwords that your team uses and you want to make sure that only authorized people get to them. Some security experts frown on this, while others suggest this. I’m not going to get into that argument in this post, I am just going to write about what I stood up for my company that looks like it will work for our needs.
So the other day my boss asked us to start looking at a central password vault where we can manage all of our secure passwords. He wanted to make it so we could store all shared company passwords in one place. He also wanted to be able to control which groups had access to which passwords. He also didn’t want to spend any money. When I hear that, I immediately start looking in Linux and Open Source.
It took me a while to find, but I think I found the right solution. Now if you are scared of Linux, don’t worry, this solution works on a Windows server too. I however set it up in Ubuntu Linux Server edition, so that is what I will post about. The tool is called Web KeePass. It is a Java web-based port of the popular KeePass password safe. When I say web-based, that means a central server repository of your sensitive credentials.
With it you can store your passwords using AES, 3DES, Blowfish, Serpent or other encryption algorithms to ensure your credentials stay safe. You can also configure multiple users, and groups to control who has access to certain passwords. Since it’s open source, it also means it is free! Sounds like I am meeting all my boss’s requirements.
To set it up in Ubuntu do the following:
- First install Java SDK
sudo apt-get install default-jdk
- Next Install unzip
sudo apt-get install unzip
- Download the Web Keepass install pack
- Create a directory called wkp in /opt
sudo mkdir /opt/wkp
- Unzip the Web KeePass install pack
- Change into the Web Keepass Install folder
- Make the Install-no-gui.sh file executable
sudo chmod +x Install-no-gui.sh
- Execute the Install-no-gui.sh file
- Enter the following info when prompted
Installation Path: /opt/wkp
JAVA_HOME Path: /usr/lib/jvm/java-6-openjdk
Tomcat HTTPS/SSL Port: 443
(Leave the rest as defaults)
- Change into the /opt/wkp directory
- Make startup.sh executable and set permissions
sudo chmod a+x ./startup.sh
sudo chmod a+x ./jakarta-tomcat-5.5.7/bin/*.sh
- Run startup.sh to launch your new server
- You can now browse to your KeePass Web Server at https://youruserver
Simple right? You could stand this thing up in under 10 minutes if your wanted to, and have a really secure place to store your sensitive passwords. If you want to make sure Web Keepass starts at bootup, add the following lines to /etc/rc.local right before exit 0:
What do you guys think? Do you know of a similar password vault solution? One that is web-based? I would love to hear about your favorites in the comments.