Open Sourcing the Enterprise Password Safe
Some of those who know me may have heard me talk about an Enterprise Password Safe product which I built and worked on from the mid-2000’s up until shortly before joining Facebook. Now I’ve left Facebook and I’ve been looking over my old repos and realised that it’s a project that could benefit from being open-sourced and so I’ve done so via a company I’ve recently acquired an interest in.
I’ve put together a FAQ here which should help you understand what it is and the shape the code is in;
What is it?
The TLDR is that it’s a multi-user, audited, Java webapp which acts as a centralised password storage system. It’s like LastPass, 1Password, etc., but instead of being designed to be a cloud service it was designed and built to be installed wherever a customer wanted (usually in a secure, on-site server room or data center).
It worked with a variety of databases (including SQL Server, Oracle, DB2, MySQL, PostgreSQL, and HSQLDB) which were used to store the sensitive information, and could be installed in any servlet engine which has Java 5 support (yes, it’s that old ;)). Customers would install it, provide the JDBC connection details for the database, and then use it as needed.
It used PKCS5-3, AES, RSA to secure passwords via a cryptographic chain which meant that without a password it was extremely difficult to obtain the password (I never say impossible in relation to crypto).
Who used it?
The EPS was used by a range of companies from SMBs through to multi-nationals and government departments. I’m not going to provide a complete customer list in order to respect the confidentiality that some customers expressed when purchasing licenses, but some of the companies which have been listed publicly as customers in the past include Boeing, Fortis Bank, Nike, Red Bull, The Swedish National Debt Office, The UK Pension Regulator, and The US Federal Aviation Authority.
Why open source it?
Currently I’m considering what to do next, and I don’t think the EPS is the way to go. The password storage market has changed a lot in recent years and I don’t believe there’s a viable option to start and build a company around a closed-source password solution which hasn’t been actively developed in a few years.
What shape is the code in?
This is the embarrassing bit for me; When I started talking to Facebook about joining them the EPS was mid-way through an update to use Bootstrap for the UI, and, well, that didn’t get finished, so it’s only half complete and parts aren’t fully working.
The code was developed for over a decade and so you’ll probably find lots of things which could be “done better”, so please feel free to submit pull requests for improvements (as long as they include tests).
So you’re throwing out a half-baked product?
You could see it like that, or you could look at it as open sourcing a product which, for many years, served a lot of people. I’m not forcing anyone to use or contribute to it, but I felt that even if a few people find it useful then it’s worth open sourcing rather than leaving the code in a private repo for ever more.
Where can I find the code?
The code is on GitHub at https://github.com/carbonsecurity/enterprisepasswordsafe, it’s taken from the development head of the private repo it was being developed from. The history of the private repo contains information which is sensitive (API keys, customer request information, etc.) which is why a snapshot is being made available rather than the complete history.
I’ve got a question!
Please use the GitHub issue tracker for issues with the code, or post below