noxcrux is a Django web application and API which allows you to manage passwords horcruxes to improve your online security.
The persons intended by this project are people who are a minimum aware of online security risks and already use a password manager.
noxcrux was inspired by the security mechanism of password salting/peppering and the concept of horcruxes from the universe of Harry Potter.
The aim of this project is to split passwords in multiple horcruxes to mitigate the single point of failure risk induced by password managers.
Password horcruxes are not 2FA/MFA and does not pretend to replace it at all. A password is a sole factor (knowledge) and noxcrux allows you to distribute it across multiple locations.
The project is still in early development stage (see the features and the Kanban section below) but the end goal is to offer to the users multiple servers to connect to and distribute their online accounts access security to different places.
A web extension will be later developed to allow end users to easily manage their servers and to retrieve and assemble their complete password when they want to log in to a website.
Here is a link of a live demo of this project:
https://hydrogen.noxcrux.com/
See below the top level parts of this README:
noxcrux is powered by Django, a well-known python web framework, and Django Rest Framework for the API.
It also makes use of Bootstrap and jQuery for the web interface.
Here is a table with these main tools, and their current version:
Tool | Version |
---|---|
Django | 3.2 |
Django Rest Framework | 3.12 |
Bootstrap | 4.6 |
jQuery | 3.6 |
Here is a list of the main features provided by this project:
- Zero-Knowledge End-to-End Encrypted horcruxes
- Complete horcrux management
- Horcrux generator
- Horcrux sharing & friends management
- Personal account management
- Active sessions management
- 2-Factor authentication
- Self-served API reference
- Brute-force protection
- Easy & Secure deployment with Docker
Here is what you need to do to get a noxcrux server up & running. This is also the recommended way to install it for a development setup.
Following are the commands to build the application straight from the sources, find below the Docker instructions for a production-ready environment or to just quickly get a server running.
noxcrux is being developed and tested on debian-based GNU/Linux distributions, so you will see below the commands for them, but you might know how to adapt them.
Django is a python web framework so first you need python and pip to later install modules.
I bet you already have them both installed but just in case, here are the commands.
sudo apt update && sudo apt upgrade
sudo apt install python3 python3-pip
Fetch the code from the repository and enter the folder.
git clone https://github.com/noxPHX/noxcrux.git && cd noxcrux
Install Django and the other modules.
pip3 install -r requirements.txt
Ideally, you may setup a virtual environment if you do not want to mess with your host dependencies.
sudo apt install python3-venv
python3 -m venv ./.venv/
source .venv/bin/activate
pip3 install -r requirements.txt
noxcrux makes use of SASS, so you need to compile SCSS files into regular CSS files because these files are not tracked by git.
In order to install it, follow the instructions from https://sass-lang.com/.
I personally prefer to grab the latest release from https://github.com/sass/dart-sass/releases and untar the file somewhere in my path to be able to use it.
wget -O /tmp/sass.tgz https://github.com/sass/dart-sass/releases/download/1.54.4/dart-sass-1.54.4-linux-x64.tar.gz
tar -xzf /tmp/sass.tgz -C /tmp
mv /tmp/dart-sass/* /usr/local/bin
rm -r /tmp/sass.tgz /tmp/dart-sass
noxcrux uses PostgreSQL as database engine, for an easy setup you can use Docker and Compose and simply running the following commands in the docker directory:
cd docker
echo 'noxcrux_db_passwd' > secrets/noxcrux_db_passwd.txt
docker-compose up -d noxcrux_db
Otherwise, you can check how to install and configure PostgreSQL manually here.
In order to properly run the application, you might want to define some environment variables.
Find below a table with each variable, their description, type and default value.
Variable | Description | Type | Default |
---|---|---|---|
DEBUG | Enable or disable debug mode | Boolean | True |
REGISTRATION_OPEN | Enable or disable user registration | Boolean | True |
NOXCRUX_INSTANCE | A name to display for your instance | String | PROD |
ALLOWED_HOSTS | Allowed hosts to access the application | Comma-separated values (eg "localhost,127.0.0.1") | * |
DB_HOST | Database IP address or hostname | String (eg "172.26.0.74" if using the noxcrux_db container) | 172.26.0.74 |
DB_PORT | Database port | String | 5432 |
DB_NAME | Database name | String | noxcrux |
DB_USER | Database user | String | noxcrux |
DB_PASSWORD | Database password | String | noxcrux_db_passwd |
CORS_ALLOW_ALL_ORIGINS | Enable or disable all origins for CORS | Boolean | False |
CORS_ALLOWED_ORIGINS | Allowed origins for CORS | Comma-separated values (eg "https://localhost,https://127.0.0.1") | http://localhost |
For the last step of the configuration, you need to generate your secret key for Django, the following command will suffice:
python3 -c 'from django.core.management.utils import get_random_secret_key; print(get_random_secret_key())' > secret_key.txt
If you cannot use python (eg with Docker setup), you can use this plain bash command:
cat /dev/urandom | tr -dc 'a-z0-9\!\@\#\$\%\^\&\*\(\-\_\=\+\)' | head -c 50 > secret_key.txt
Before running the server there are only the database migrations left:
python3 manage.py migrate
Finally, start the server.
python3 manage.py runserver
The docker-compose.yaml
file defines 3 services:
- noxcrux_db, which is a PostgreSQL container with a volume to persists the database
- noxcrux_web, which contains gunicorn serving the python application
- noxcrux_nginx, a nginx container which handles SSL and serve static files thanks to a shared volume with noxcrux_web
For a quick & easy setup you can use Docker and Compose, the following versions are the minimal requirements:
Tool | Version |
---|---|
Docker | 19 |
Compose | 1.29 |
I do not provide (yet) an image on the Docker hub so you need to build your image locally.
The instructions below are also valid for a production deployment.
First you need to fetch the code if you do not have already and enter the folder.
git clone https://github.com/noxPHX/noxcrux.git && cd noxcrux
As of earlier, you need to generate the secret key, and you might want to adjust the environment variables in the docker-compose.yaml
file. Please refer to the Configuration section.
The Compose stack comes with a nginx container which needs a certificate and its private key as well as Diffie-Hellman parameters.
For the certificate, you can retrieve a free one from Let's Encrypt and place it in the docker/ssl
folder.
Otherwise, you can quickly generate a self-signed certificate for testing purposes (for a production environment you need a valid certificate):
openssl req -x509 -newkey rsa:4096 -nodes -keyout docker/ssl/privkey.pem -out docker/ssl/fullchain.pem -days 365 -subj '/CN=localhost' -addext "subjectAltName=IP:127.0.0.1,IP:0.0.0.0"
Regarding the D-H parameters you can generate them as follows:
openssl dhparam -out docker/ssl/dhparams.pem 4096
Depending on your machine, you might have time to grab a coffee β
When you are ready, these commands will suffice to build the images and run the application.
docker-compose build
docker-compose up -d
Swagger UI is a tool which facilitates interaction with an API. Integrated in DRF-Spectacular, simply running the application provides your own API reference, you can find it browsing the /web/api/docs URL.
Alternatively, you can find it here : https://hydrogen.noxcrux.com/web/api/docs/
If you want to build your own OpenAPI schema, for instance to import it in your development tools, execute the following command.
python3 manage.py spectacular --file schema.yaml
You can find the Kanban of the project in the dedicated GitHub section.
You will find there more information about upcoming features and backlog ideas.
Zero-Knowledge End-to-End Encryption of horcruxes is an important milestone of this project.
This feature was released with the v2.0.0 tag and is looking for review.
The security model of the approach is soon to be disclosed.
Pull requests are welcome. For major changes, please open a discussion first to talk about what you would like to change.
Please file an issue if anything isn't working the way it is expected.
Please see the dedicated Security Policy page.
Give a βοΈ if you like this project and want to support it!