{"id":38539272,"url":"https://github.com/ogarcia/rockpass","last_synced_at":"2026-01-22T10:01:46.876Z","repository":{"id":46405329,"uuid":"361738065","full_name":"ogarcia/rockpass","owner":"ogarcia","description":"[MIRROR] A small and ultrasecure Lesspass database server written in Rust","archived":false,"fork":false,"pushed_at":"2026-01-12T06:07:16.000Z","size":271,"stargazers_count":16,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"master","last_synced_at":"2026-01-12T16:11:24.260Z","etag":null,"topics":["lesspass","rockpass","rust","secure","server","sqlite","tiny"],"latest_commit_sha":null,"homepage":"https://gitlab.com/ogarcia/rockpass","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ogarcia.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"ogarcia"}},"created_at":"2021-04-26T12:15:23.000Z","updated_at":"2025-11-07T10:43:05.000Z","dependencies_parsed_at":"2023-02-17T18:10:17.002Z","dependency_job_id":"83dd5392-4370-4515-bf7f-0c33d99cd857","html_url":"https://github.com/ogarcia/rockpass","commit_stats":null,"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"purl":"pkg:github/ogarcia/rockpass","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ogarcia%2Frockpass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ogarcia%2Frockpass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ogarcia%2Frockpass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ogarcia%2Frockpass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ogarcia","download_url":"https://codeload.github.com/ogarcia/rockpass/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ogarcia%2Frockpass/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28661008,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-22T01:17:37.254Z","status":"online","status_checked_at":"2026-01-22T02:00:07.137Z","response_time":144,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["lesspass","rockpass","rust","secure","server","sqlite","tiny"],"created_at":"2026-01-17T07:07:20.708Z","updated_at":"2026-01-22T10:01:46.858Z","avatar_url":"https://github.com/ogarcia.png","language":"Rust","funding_links":["https://github.com/sponsors/ogarcia"],"categories":[],"sub_categories":[],"readme":"# Rockpass\n\nA small and ultrasecure [LessPass][lesspass] database server written in\n[Rust][rust].\n\n[rust]: https://www.rust-lang.org/\n\n## Installation\n\n### From binary\n\nSimply download latest release from [releases page][releases]. You can use\n[systemd unit][unit] from [Arch Linux package][package] to run it.\n```shell\ntar xf rockpass-X.X.X-ARCH.tar.xz\nsudo install -m755 rockpass-X.X.X-ARCH/rockpass /usr/bin/rockpass\nsudo install -m644 rockpass-X.X.X-ARCH/rockpass/rockpass.toml.example \\\n  /etc/rockpass.toml\nsudo vim /etc/rockpass.toml # Configure Rockpass as you like\nsudo curl 'https://aur.archlinux.org/cgit/aur.git/plain/rockpass.service?h=rockpass' \\\n  -o /etc/systemd/system/rockpass.service\nsudo systemctl start rockpass\nsudo systemctl enable rockpass\n```\n\nWarning: The only binaries provided are for `linux-amd64` and `linux-arm64`,\nif you need to run Rockpass on another architecture (like a Raspberry Pi\n32bit) you must compile it, see how to do it in the [from source\nsection](#from-source).\n\nNote that the systemd unit uses a dynamic user that has a persistent\ndirectory in `/var/lib/rockpass/` so it is recommended that the SQLite DB be\nstored in this directory (see _production sample_ section in\n`rockpass.toml.example`).\n\nIf everything worked correctly you should have a new clean database in\n`/var/lib/rockpass/rockpass.sqlite`. Go to the [usage section](#usage) to\nlearn how to create your first user.\n\n[releases]: https://gitlab.com/ogarcia/rockpass/-/releases\n[unit]: https://aur.archlinux.org/cgit/aur.git/tree/rockpass.service?h=rockpass\n[package]: https://aur.archlinux.org/packages/rockpass\n\n### With Docker\n\nYou can download a Rockpass Docker image from [here][glcr], from [Docker\nHub][hub] or from [Quay][quay] (only `linux-amd64`).\n\nTo run it, simply exec.\n```\ndocker run -t -d \\\n  --name=rockpass \\\n  -p 8000:8000 \\\n  ogarcia/rockpass\n```\n\nThis start Rockpass and publish the port to host.\n\nWarning: this is a basic run, all data will be destroyed after container\nstop and rm.\n\n[glcr]: https://gitlab.com/ogarcia/rockpass/container_registry\n[hub]: https://hub.docker.com/r/ogarcia/rockpass\n[quay]: https://quay.io/repository/ogarcia/rockpass\n\n#### Persist data using a Docker volume\n\nRockpass Docker image uses a volume `/var/lib/rockpass` to store sqlite\ndatabase. You can exec the following to mount it in your host as persistent\nstorage.\n```\ndocker run -t -d \\\n  --name=rockpass \\\n  -p 8000:8000 \\\n  -v /my/rockpass:/var/lib/rockpass \\\n  ogarcia/rockpass\n```\n\nTake note that you must create before the directory `/my/rockpass` and set\nownership to UID/GID 100.\n```\nmkdir -p /my/rockpass\nchown -R 100:100 /my/rockpass\n```\n\n#### Docker environment variables\n\n| Variable | Used for | Default value |\n| --- | --- | --- |\n| `ROCKPASS_DATABASES` | Database location | {rockpass={url=\"/var/lib/rockpass/rockpass.sqlite\"}} |\n| `ROCKPASS_ADDRESS` | Listen address | 0.0.0.0 |\n| `ROCKPASS_PORT` | Listen port | 8000 |\n| `ROCKPASS_REGISTRATION_ENABLED` | Enable or disable the ability to register new users | true |\n| `ROCKPASS_ACCESS_TOKEN_LIFETIME` | Time, in seconds, that the access token is valid | 3600 (1 hour) |\n| `ROCKPASS_REFRESH_TOKEN_LIFETIME` | Time, in seconds, that the refresh token is valid | 2592000 (30 days) |\n| `ROCKPASS_LOG_LEVEL` | Log level | critical |\n\n### From source\n\n#### Installing Rust\n\nRockpass build has been tested with current Rust stable release version. You\ncan install Rust from your distribution package or use [`rustup`][rustup].\n```\nrustup default stable\n```\n\nIf you prefer, you can use the stable version only for install Rockpass (you\nmust clone the repository first).\n```\nrustup override set stable\n```\n\n[rustup]: https://rustup.rs/\n\n#### Installing dependencies\n\nApart from Rust, to build rockpass you will need `sqlite3` (usually the\n`-dev` package) and the compiler tools. For example in Debian.\n```shell\napt install build-essential libsqlite3-dev\n```\n\nDepending on the Linux distribution you use these packages may vary, consult\nthe manual of yours for more information.\n\n#### Building Rockpass\n\nTo build Rockpass binary simply execute the following commands.\n```shell\ngit clone https://gitlab.com/ogarcia/rockpass.git\ncd rockpass\ncargo build --release\n```\n\nAfter build the binary is located in `target/release/rockpass`.\n\n## Configuration\n\nHow Rockpass uses [Rocket][rocket] certain configuration parameters are\ncompatible with each other. You can look at the [Rocket configuration\ndocumentation][rcdoc] to see what the basic parameters are. In any case,\na fully commented `rockpass.toml.example` is provided and the most important\nparameters are detailed below.\n\n| Setting | Use | Default value |\n| --- | --- | --- |\n| `address` | Listen address | 127.0.0.1 |\n| `port` | Listen port | 8000 |\n| `registration_enabled` | Enable or disable the ability to register new users | true |\n| `access_token_lifetime` | Time, in seconds, that the access token is valid | 3600 (1 hour) |\n| `refresh_token_lifetime` | Time, in seconds, that the refresh token is valid | 2592000 (30 days) |\n| `databases` | SQLite database location (see below) | {rockpass={url=\":memory:\"}} |\n\nThe database configuration can be detailed in three options.\n\nOption One.\n```toml\ndatabases = { rockpass = { url = \"/location/of/rockpass.sqlite\" } }\n```\n\nOption Two.\n```toml\n[release.databases]\nrockpass = { url = \"/location/of/rockpass.sqlite\" }\n```\n\nOption Three.\n```toml\n[release.databases.rockpass]\nurl = \"/location/of/rockpass.sqlite\"\n```\n\nIf you don't want use a config file you can use environment variables. For\nexample to disable registration and listen in 8080.\n```shell\nexport ROCKPASS_PORT=8080\nexport ROCKPASS_REGISTRATION_ENABLED=false\nexport ROCKPASS_DATABASES='{ rockpass = { url = \"/location/of/rockpass.sqlite\" } }'\nrockpass\n```\n\nYou can run Rockpass without any configuration. By default it creates an\nin-memory DB that is deleted once the process stops, this is useful for\ntesting purposes.\n```\nrockpass\n```\n\nThe latter is exactly the same as running Rockpass by setting the `url` key\nto `:memory:`.\n```\nROCKPASS_DATABASES='{rockpass = { url = \":memory:\" }}' rockpass\n```\n\n[rocket]: https://rocket.rs\n[rcdoc]: https://rocket.rs/v0.5-rc/guide/configuration/#configuration\n\n## Secure it\n\nYou can use Rockpass directly on a local network, but if you want to expose\nit to the Internet it is best to set up some kind of http server in front of\nit (remember to configure it to listen only to localhost).\n\n### With nginx\n\n```nginx\nserver {\n  listen 443 ssl http2;\n  listen [::]:443 ssl http2;\n\n  server_name rockpass.example.com;\n\n  access_log /var/log/nginx/rockpass.access.log;\n  error_log  /var/log/nginx/rockpass.error.log;\n\n  ssl_certificate           /etc/letsencrypt/live/rockpass.example.com/fullchain.pem;\n  ssl_certificate_key       /etc/letsencrypt/live/rockpass.example.com/privkey.pem;\n  ssl_trusted_certificate   /etc/letsencrypt/live/rockpass.example.com/chain.pem;\n  ssl_session_timeout       1d;\n  ssl_session_cache         shared:MozSSL:10m;\n  ssl_session_tickets       off;\n  ssl_protocols             TLSv1.3;\n  ssl_prefer_server_ciphers off;\n  ssl_stapling              on;\n  ssl_stapling_verify       on;\n\n  root /srv/http/pass/htdocs;\n\n  # Only exposes Rockpass on the endpoints it can handle\n  location ~ (/auth/|/passwords/) {\n    proxy_set_header Host              $http_host;\n    proxy_max_temp_file_size           0;\n    proxy_read_timeout                 1800s;\n    proxy_send_timeout                 1800s;\n    proxy_pass                         http://127.0.0.1:8000;\n    proxy_redirect                     http:// https://;\n  }\n}\n```\n\nYou must create an empty `index.html` file in `/srv/http/pass/htdocs` so\nthat when someone accesses `rockpass.example.com` they simply get a blank\npage.\n\nIf you want to increase security you can introduce some kind of random\nstring in the exposed endpoints as detailed in the following example.\n```nginx\n# Expose Rockpass under very difficult URL\nlocation ~ (/somerandomstring/auth/|/somerandomstring/passwords/) {\n  rewrite  ^/somerandomstring/(.*) /$1 break;\n  proxy_set_header Host              $http_host;\n  proxy_max_temp_file_size           0;\n  proxy_read_timeout                 1800s;\n  proxy_send_timeout                 1800s;\n  proxy_pass                         http://127.0.0.1:8000;\n  proxy_redirect                     http:// https://;\n}\n```\n\nNow in the clients you must configure the server address as\n`https://rockpass.example.com/somerandomstring/`. This way it will be very\ndifficult for an external attacker to locate where you have Rockpass\nlistening.\n\n### With lighttpd\n\n```lighttpd\n$HTTP[\"url\"] =~ \"^/rockpass\" {\n  proxy.server = ( \"\" =\u003e ( ( \"host\" =\u003e \"127.0.0.1\", \"port\" =\u003e \"8000\" )))\n  proxy.header = ( \"map-urlpath\" =\u003e ( \"/rockpass\" =\u003e \"\"))\n}\n```\n\nIn this case Rockpass will be listening at\n`https://rockpass.example.com/rockpass/`. If you change `rockpass` to some\nkind of random string you will increase the security.\n\n## Usage\n\nRockpass is an API server for LessPass so it does not expose any interface.\nYou can use any of the [existing LessPass applications][lpapps] (plugins,\nmobile...) to connect against the server or my own\n[lesspass-client][lesspass-client] command line client implementation.\n\n### Example of use with lesspass-client\n\nLet's see an example of use with `lesspass-client`. First we start\n`rockpass` without options or configuration to work directly in memory (it\nis an example). When we feel comfortable we can start Rockpass with its\nfinal configuration.\n```\nrockpass\n```\n\nThe first thing we need to be able to connect is to create a user. For this\nuser to be compatible with the official LessPass applications we must\nencrypt their password as LessPass does. We can do this with the\nlesspass-client itself as follows.\n```shell\n$ lesspass-client -m Login_Password password build lesspass.com login@mail.com\n|O}'bU/sW*7Dfw-\u003e\n```\n\nWhat we have done is encrypt a password `Login_Password` for the user\n`login@mail.com`, this has resulted in the encrypted password\n`|O}'bU/sW*7Dfw-\u003e` which is the one we must use to create the user.\n\nWe now create the user as follows.\n```shell\n$ lesspass-client \\\n  -s http://127.0.0.1:8000 \\\n  user create \"login@mail.com\" \"|O}'bU/sW*7Dfw-\u003e\"\nNew user created successfully\n```\n\nFrom here we can connect against the API either with the client applications\nor with the lesspass-client itself. If we do it with any of the client\napplications (for example the [Firefox plugin][ffplugin]), we will use as\nusername `login@mail.com` and password `Login_Password` since the client\napplication itself will be responsible for encrypting it. If, on the other\nhand, we do it with lesspass-client, the username will be the same but we\nmust use the encrypted password as detailed below.\n```shell\n# Add a new password profile\n$ lesspass-client \\\n  -s http://127.0.0.1:8000 \\\n  -u \"login@mail.com\" \\\n  -p \"|O}'bU/sW*7Dfw-\u003e\" \\\n  password add example.com login@mail.com\nNew password created successfully\n\n# List profiles stored on the server\n$ lesspass-client \\\n  -s http://127.0.0.1:8000 \\\n  -u \"login@mail.com\" \\\n  -p \"|O}'bU/sW*7Dfw-\u003e\" \\\n  password list\nexample.com\n\n# Show a profile\n$ lesspass-client \\\n  -s http://127.0.0.1:8000 \\\n  -u \"login@mail.com\" \\\n  -p \"|O}'bU/sW*7Dfw-\u003e\" \\\n  password show example.com\nID: 1\nSite: example.com\nLogin: login@mail.com\nLowercase: true\nUppercase: true\nSymbols: true\nDigits: true\nLength: 16\nCouter: 1\n\n# Encrypt a new password using a master password and the created profile\n# Option One (Master password as environment variable)\n$ export LESSPASS_MASTERPASS=\"very difficult master password\"\n$ lesspass-client \\\n  -s http://127.0.0.1:8000 \\\n  -u \"login@mail.com\" \\\n  -p \"|O}'bU/sW*7Dfw-\u003e\" \\\n  password show -p example.com\nX?%x0O=yn\u0026n4cWGU\n# Option Two (Master password as argument)\n$ lesspass-client \\\n  -s http://127.0.0.1:8000 \\\n  -u \"login@mail.com\" \\\n  -p \"|O}'bU/sW*7Dfw-\u003e\" \\\n  -m \"very difficult master password as argument\" \\\n  password show -p example.com\n:~xd`ZtYvS1/8I2+\n# The passwords are different in each example because we have changed the\n# master password.\n```\n\nAll of the above is just an example, lesspass-client is a complete client so\nit is possible to perform multiple operations on the LessPass API. See the\ncommand help for more information.\n\n### Migrate data with lesspass-client\n\nIf you want to migrate an account from any LessPass server to Rockpass you\ncan use `lesspass-client`. You will need to encrypt the passwords to be able\nto export and import the data, see the example above to know how to do it.\n\nFirst we export the profiles to `profiles.json`.\n```shell\n$ lesspass-client -s https://api.lesspass.example.com \\\n  -u LOGIN_EMAIL \\\n  -p ENCRYPTED_LOGIN_PASSWORD \\\n  password export profiles.json\n```\n\nThen we import them.\n```shell\n$ lesspass-client -s http://127.0.0.1:8000 \\\n  -u LOGIN_EMAIL \\\n  -p ENCRYPTED_LOGIN_PASSWORD \\\n  password import profiles.json\n```\n\nYou can do this operation in memory without using a file as follows.\n```\n$ lesspass-client -s https://api.lesspass.example.com \\\n  -u LOGIN_EMAIL \\\n  -p ENCRYPTED_LOGIN_PASSWORD \\\n  password export - | \\\n  lesspass-client -s http://127.0.0.1:8000 \\\n  -u LOGIN_EMAIL \\\n  -p ENCRYPTED_LOGIN_PASSWORD \\\n  password import -\n```\n\nNote that when importing data it is not overwritten so if you import the\nsame JSON twice you will have repeated entries.\n\n[lpapps]: https://www.lesspass.com/#supported-platforms\n[ffplugin]: https://addons.mozilla.org/en-US/firefox/addon/lesspass/\n\n## Known limitations\n\n### Password reset\n\nWith the premise in mind of keeping the code simple (remember that it is for\npersonal use so KISS), Rockpass has not implemented any password reset API.\nHowever, if any user does not remember their password, you can reset it by\nfollowing the procedure below.\n\n#### Encrypt your password\n\nLessPass encrypts the passwords in the client before sending them, so we\nmust perform the same procedure since for each user the encrypted password\nis different. My advice is to use a temporary easy password (in my examples\nI will use `123456`) and then the user will change it to something more\nsecure.\n\nTo encrypt the password we can use [LessPass][lesspass] itself or my\n[lesspass-client][lesspass-client]. The parameters to use are the following.\n\n- Site: `lesspass.com`\n- Login: The email address you use to authenticate. I will use\n  `rockpass@example.com` in this example.\n- Master password: The new password you want to use. In my case as I said\n  before `123456`.\n- Options: Default. This means all options checked, size 16 and counter 1.\n\nIf we want to encrypt the password with lesspass-client the command would\nbe.\n```sh\n$ lesspass-client -m 123456 password build lesspass.com rockpass@example.com\n-!?}5Nx9E\\%svt07\n```\n\nRegardless of how we encrypt the password the result is that our encrypted\npassword is `-!?}5Nx9E\\%svt07`. Obviously this is only valid if the user\nname is `rockpass@example.com`, if you use another user name it will\ngenerate a different encrypted password.\n\n#### Encrypt your password (again)\n\nEven if the password is encrypted by the client, Rockpass encrypts it again\nwith Bcrypt hash, this is because in the client options you can select that\nthe password is not encrypted and to increase security.\n\nTo encrypt the password with [Bcrypt][bcrypt] the easiest way is to use\na _web application_ that does it, for example [Bcrypt-Generator][bg] or\n[Bcrypt-Online][bo]. When encrypting with Bcrypt you have to set a cost\nfactor, Rockpass uses a factor of 10, but it is OK to use a different\nfactor.\n\nNote that each time you encrypt with Bcrypt a new string is generated, this\nis normal since Bcrypt generates a different _salt_ each time. In my case\nthe password generated from `-!?}5Nx9E\\%svt07` is\n`$2y$10$EYeEDnNN/dIQOkJtU9VQAe2fGXhncHbsdZnTdmrs6JMaceKqLg.X6`.\n\n[bcrypt]: https://en.wikipedia.org/wiki/Bcrypt\n[bg]: https://bcrypt-generator.com/\n[bo]: https://bcrypt.online/\n\n#### Update the password in the database\n\n1. _Connect_ to database.\n   ```sh\n   sqlite3 /location/of/rockpass.sqlite\n   ```\n2. Update password to the value `123456` for the user `rockpass@example.com`.\n   ```sql\n   UPDATE users SET\n    password='$2y$10$EYeEDnNN/dIQOkJtU9VQAe2fGXhncHbsdZnTdmrs6JMaceKqLg.X6'\n    WHERE email = 'rockpass@example.com';\n   ```\n\nNow it would be possible to authenticate with the user\n`rockpass@example.com` with the password `123456` and modify it with the\napplication. Don't forget to do it!\n\n### Delete an user\n\nUsers can delete their own accounts using any of the mobile or\n[lesspass-client][lesspass-client] applications (browser extensions do not\nhave this option). You can still delete any user with the `sqlite` command.\nFor example to delete user _user@example.com_ and all of his/her passwords\nsettings.\n\n1. _Connect_ to database.\n   ```sh\n   sqlite3 /location/of/rockpass.sqlite\n   ```\n2. Delete user.\n   ```sql\n   PRAGMA foreign_keys = ON;\n   DELETE FROM users WHERE email = 'user@example.com';\n   ```\n\n[lesspass]: https://lesspass.com/\n[lesspass-client]: https://gitlab.com/ogarcia/lesspass-client\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fogarcia%2Frockpass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fogarcia%2Frockpass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fogarcia%2Frockpass/lists"}