Introducing Fortanix DSM Password Manager
You may find this blog as "yet another password manager" blog, and maybe it's true. Knowing there are many options available for a secure password manager is a good position to be in, certainly for anyone who's got hundreds if not thousands of passwords for various web and system administration.
When I first came across Fortanix Data Security Manager early last year (when I first joined the young company), I came to know that it can also act as a Secrets Management tool with a HSM grade security for the secrets storage. Knowing that the online SaaS service hosted Equinix is both SOC and PCI compliant, I wanted to see how well it can act as a replacement to my current and future password management needs.
Introducing the Fortanix DSM Password Manager v0.3.0 or DSMPass for short!
You may be more familiar with the Web UI that Fortanix DSM provides to fetch your passwords or secrets:
But for me personally, a command line tool that works on my Mac, Linux or WSL terminal would be easier to fetch or create new passwords or secrets in my DSM environment.
If you are already a customer of Fortanix, head over to support.fortanix.com to ask for a copy of the DSMPass tool. Today, the tool isn't quite browser ready, yet (since it's all command line based), and it means it's still in private beta. But I hope some day soon this becomes a tool that can be used by consumers on browsers and perhaps on mobile devices at some stage.
For now, let's take a look at how this works on the command line.
Installation / Setup
Installing DSMPass is as simple as copying the executable file somewhere accessible. On a Mac or Linux system, this typically is your "/usr/local/bin" directory, or in Windows - you just need to set the %PATH% environment variable to a folder of your choice.
Once the DSMPass executable has been copied, you then can run the dsmpass command:
$ dsmpass Print the contents of the DSM Password Manager. If you have not yet initialized your DSM Password Manager, it is necessary to run the init command in order to create your dsmpass directory, and initialise/synchronise your DSM account and secrets. Usage: dsmpass [flags] dsmpass [command] Available Commands: create-secret Create a secret in DSM Password Manager. db Manage database secret in DSM Password Manager. help Help about any command. init Initialize DSM Password Manager. remove Remove a secret from DSM Password Manager. show-secret Show a secret in DSM Password Manager. show-ssh Print a SSH public key in DSM Password Manager. sync Synchronise all secrets in DSM Password Manager. version Print the version of DSM Password Manager. Flags: -h, --help help for dsmpass Use "dsmpass [command] --help" for more information about a command.
If this is the first time running the command on your system, you'll be greeted with a simple help screen as per the above. In order for DSMPass to work, it needs to initialise your connection to your Data Security Manager:
$ dsmpass init Please enter DSM endpoint: <your endpoint> Please enter account: <your account_id> Please enter username: <your email> Please enter password: <your password> Please enter master password: <your master password> Created directory to store DSM Password Manager config: /path/to/home/.dsmpass DSM Password Manager successfully initialised.
You'll notice that a metadata folder "/path/to/home/.dsmpass" has been created. The way the DSMPass works is that it encrypts your endpoint, account id, username and password locally (all secured using your master password), but the secrets are actually stored on the Fortanix Data Security Manager. So you'll know that no passwords/secrets are ever stored on anyone's local system - only the reference or the metadata to the passwords/secrets are stored.
Once the DSMPass has been initialised, you can now start generating or deleting passwords/secrets as you need. If you already have some secrets created in your Data Security Manager tenant or if you are setting up DSMPass on a new laptop you are using, simply synchronise the metadata:
$ dsmpass sync Enter master password: U2F Authentication is enabled. Failed to find any devices
If you don't have 2FA enabled, then this would have synchronised all your passwords/secrets from Fortanix Data Security Manager. In my case, my Data Security Manager account has 2FA enabled with my U2F Yubikey, hence it complained that my laptop couldn't find any U2F devices. Plugin your Yubikey and attempt to do a sync again:
$ dsmpass sync Enter master password: U2F Authentication is enabled. Waiting for Authentication..
After I press the button on the Yubikey, my passwords/secrets should have synchronised:
$ dsmpass . ├──Some_Test | └──some.example.com
DSMPass is finally initialised! Let's see how it all works!
Let's start with a password / secrets generation. The command is: "create-secret". If you ever get the commands wrong for whatever reason, you'll note that it will suggest the correct command:
$ dsmpass create Error: unknown command "create" for "dsmpass" Did you mean this? create-secret Run 'dsmpass --help' for usage.
So we'll try with the correct command and the usage is simple: "create-secret <group> <name> <optionally a username>". Again, I'll need to authenticate using my U2F key as well:
$ dsmpass create-secret test example.com firstname.lastname@example.org Enter master password: U2F Authentication is enabled. Waiting for Authentication..
For some instances, you might already have a password/secret you want to manually store. You can use the "--supply / -s" to manually provide this:
$ dsmpass create-secret test name.example.com username -s Enter password for name.example.com: Enter master password: U2F Authentication is enabled. Waiting for Authentication..
Once created, you'll notice that the password/secret has been automatically created and I can also show this as well using the "show-secret" command. For every one of these sensitive commands, I'll need to enable the U2F button:
$ dsmpass . ├──test | └──example.com $ dsmpass show-secret test example.com Enter master password: U2F Authentication is enabled. Waiting for Authentication.. Username: email@example.com Password: <redacted>
If you prefer to copy the password to your clipboard you can always use the "-c" option:
$ dsmpass show-secret test example.com -c
This will only show the username on your console and the password/secret would be copied to your clipboard.
We can also remove or delete a password or secret in case you no longer require it. Simple "remove" command will suffice
$ dsmpass remove test example.com Enter master password: U2F Authentication is enabled. Waiting for Authentication..
And now the password/secret is gone:
$ dsmpass .
Do note, once the password/secret is deleted, it'll also be deleted within the Fortanix DSM as well. All is audit logged as it should:
Some may have noticed in the help command there are other commands to the DSMPass such as "db", "show-ssh" and so on. I'll look to cover these on another blog post very shortly.
For now, feedback is welcome and let us know what you think of the latest DSM Password Manager!