{"id":13633293,"url":"https://github.com/dividuum/html-vault","last_synced_at":"2025-04-18T10:34:27.838Z","repository":{"id":51939817,"uuid":"233909943","full_name":"dividuum/html-vault","owner":"dividuum","description":"Generates self-contained HTML files protecting secret text content.","archived":false,"fork":false,"pushed_at":"2022-11-06T13:18:23.000Z","size":10,"stargazers_count":142,"open_issues_count":0,"forks_count":3,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-08-01T23:31:07.594Z","etag":null,"topics":["secret-storage","self-contained"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dividuum.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-01-14T18:37:21.000Z","updated_at":"2024-07-09T03:57:20.000Z","dependencies_parsed_at":"2022-08-23T12:11:19.196Z","dependency_job_id":null,"html_url":"https://github.com/dividuum/html-vault","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dividuum%2Fhtml-vault","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dividuum%2Fhtml-vault/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dividuum%2Fhtml-vault/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dividuum%2Fhtml-vault/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dividuum","download_url":"https://codeload.github.com/dividuum/html-vault/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223779615,"owners_count":17201209,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["secret-storage","self-contained"],"created_at":"2024-08-01T23:00:32.826Z","updated_at":"2024-11-09T02:31:40.482Z","avatar_url":"https://github.com/dividuum.png","language":"Python","funding_links":[],"categories":["Uncategorized"],"sub_categories":["Uncategorized"],"readme":"# html-vault\n\nCreate self-contained HTML pages protecting secret information. Usage:\n\n```\nhtml-vault ~/Document/secret.txt protected.html\n```\n\n**Here's an [example HTML file](https://dividuum.de/html-vault-example.html) (password is \"thisisanexample\")**\n\nWhen called, the program requires you to enter a password. It will then\ngenerate the HTML output file. This may take a moment. Once completed, the\ngenerated `protected.html` file is a self-contained HTML file with the\ncontent of `secret.txt` embedded in a way that it can only be accessed if the\npassword is known. You might then place this file on a hidden url\nfor later access.\n\nIf `secret.txt` happens to start with a `\u003c` character, HTML content is\nassumed and the decoded content is directly shown without HTML-escaping\nanything. This can be used to encrypt self-contained HTML apps with\neverything inlined.\n\nDecoding uses browser based crypto. A derived password is generated\nusing 5 million rounds of PBKDF2. The secret file content is AES-GCM\nencrypted using this derived password.\n\n# What it can and can't do\n\n* The generated HTML can of course not detect if it was copied. So you\ncannot know if your file is in the hands of an attacker. Placing the\nfile on a secret https URL might make this a bit more unlikely but of\ncourse cannot prevent it.\n\n* If the browser or OS used to view the HTML file cannot be trusted, the\nencryption is useless as the plain password could be logged by a keylogger\nfor later decryption and the password might still be in memory somewhere.\nThis also includes rogue browser extensions with full DOM access. Once\nyou're done using the decrypted page, close its browser tab.\n\n* If the password it too weak, bruteforcing the content might still be\nviable. PBKDF2 somewhat helps and the large number of rounds was chosen\nto make bruteforcing more difficult.\n\n* A server-side attacker might modify the HTML and inject code that\nexfiltrates the entered password. This might be mitigated by inspecting\nthe HTML source code prior to entering the password. The generated\nHTML is reasonably small to make this easy.\n\n* There have been no reviews yet, but the source code should be (and stay!)\neasy to understand.\n\n# Status\n\nUnreviewed - use with caution. Feedback is welcome.\n\n# Requirements\n\n* Tested with a recent Chrome/Firefox version. Requires [SubtleCrypto](https://caniuse.com/#search=subtle) API.\n\n* Python2 or Python3 with [pycryptodome](https://www.pycryptodome.org/)\n\n# License\n\nBSD 2-clause\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdividuum%2Fhtml-vault","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdividuum%2Fhtml-vault","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdividuum%2Fhtml-vault/lists"}