{"id":13932997,"url":"https://github.com/tyrchen/cellar","last_synced_at":"2025-04-10T05:42:13.740Z","repository":{"id":57545340,"uuid":"229639100","full_name":"tyrchen/cellar","owner":"tyrchen","description":"A password tool for user to derive a large amount of application passwords deterministically based on a passphrase. Cryptographically strong.","archived":false,"fork":false,"pushed_at":"2023-02-14T07:17:37.000Z","size":61,"stargazers_count":49,"open_issues_count":0,"forks_count":6,"subscribers_count":4,"default_branch":"master","last_synced_at":"2024-10-29T20:47:02.032Z","etag":null,"topics":["cryptography","password","security"],"latest_commit_sha":null,"homepage":null,"language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tyrchen.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-12-22T22:26:27.000Z","updated_at":"2024-05-08T11:40:15.000Z","dependencies_parsed_at":"2024-11-24T06:09:54.325Z","dependency_job_id":"11b6e824-e346-4dd6-9d33-092823eece29","html_url":"https://github.com/tyrchen/cellar","commit_stats":{"total_commits":42,"total_committers":1,"mean_commits":42.0,"dds":0.0,"last_synced_commit":"78abac742af10421333f4fb221d0d658c5d03ebb"},"previous_names":[],"tags_count":15,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyrchen%2Fcellar","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyrchen%2Fcellar/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyrchen%2Fcellar/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tyrchen%2Fcellar/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tyrchen","download_url":"https://codeload.github.com/tyrchen/cellar/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248166385,"owners_count":21058476,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","password","security"],"created_at":"2024-08-07T21:01:27.412Z","updated_at":"2025-04-10T05:42:13.713Z","avatar_url":"https://github.com/tyrchen.png","language":"Rust","funding_links":[],"categories":["Rust"],"sub_categories":[],"readme":"# Cellar\n\n![Build Action](https://github.com/tyrchen/cellar/workflows/build/badge.svg) ![Release Action](https://github.com/tyrchen/cellar/workflows/release/badge.svg) ![Docs](https://docs.rs/cellar-core/badge.svg) ![crates.io](https://img.shields.io/crates/v/cellar-core.svg)\n\nCellar is a simple password generation / retrieval tool inspired by [Technology Preview for secure value recovery](https://signal.org/blog/secure-value-recovery/). The main algorithm is (a little bit tweak against original one):\n\n```bash\nsalt            = Secure-Random(output_length=32)\nstretched_key   = Argon2(passphrase=user_passphrase, salt=salt)\n\nauth_key        = HMAC-BLAKE2s(key=stretched_key, \"Auth Key\")\nc1              = HMAC-BLAKE2s(key=stretched_key, \"Master Key\")\nc2              = Secure-Random(output_length=32)\nencrypted_c2    = ChaCha20(c2, key=auth_key, nonce=salt[0..CHACHA20_NONCE_LENGTH])\n\nmaster_key      = HMAC-BLAKE2s(key=c1, c2)\napplication_key = HMAC-BLAKE2s(key=master_key, \"app info, e.g. yourname@gmail.com\")\n```\n\nThe main purpose of cellar is to allow people to just remember a single password, and by using the above algorithm, one can create as many application passwords which is cryptographically strong. A user just need to store the randomly gnerated salt and encrypted_c2 in local disk and the cloud so when she wants to generate or retrieve an application password, she could use her passphrase, plus the salt and encrypted_c2 to recover the master key, and then derive the application password. As long as user kept the passphrase secret in her mind, all the application passwords are secure. Even if the salt and encrypted_c2 are leaked, a hacker still need to brute force the master key.\n\nBy using Cellar, you don't need to trust the cloud provider to store your passwords, and you don't need to bother to remember a large number of passwords for different sites / applications.\n\nCellar is a MVP at the moment. Some future items:\n\n* [x] support hierarchical keys\n* [x] zeroize keys for security purpose\n* [ ] generate password by a set of rules (min / max / character set)\n* [ ] record the app_info and the rule it uses in an encrypted file\n* [ ] provide a WebUI to make it easy to use\n\n## Usage\n\n### cellar init\n\nInitialize a cellar (default: `$HOME/.cellar/default.toml`)\n\n```bash\n$ cellar init\nCreating cellar \"$HOME/.cellar/default.toml\"\nPassword: [hidden]\nYour cellar \"$HOME/.cellar/default.toml\" is created! Feel free to use `cellar generate` to create or display your application password.\n```\n\nafter initialization, a `~/.cellar/default.toml` is generated. This files stores the random salt and the encrypted random seed like this:\n\n```bash\n$ cat ~/.cellar/default.toml\nsalt = \"C6TQW8joYp2XoIkvaCNfo0ihJ3OacxlTbx68_oW8pF4\"\nencrypted_seed = \"bHn5Lu3yX0g68rRJ4lTOwAvx_uMDFaBnZ_WMkJSU8TM\"\n```\n\nNote that even if you regenerate the cellar with the same password you will get very different master key and derived application keys. So make sure you backup this file into your private cloud.\n\n### cellar generate\n\nGenerate an application password:\n\n```bash\n$ cellar generate --app-info \"user@gmail.com\"\nPassword: [hidden]\nPassword for user@gmail.com: FLugCDPDQ5NP_Nb0whUMwY2YD3wMWqoGcoywqqZ_JSU\n```\n\nGenerate hierarchical keys:\n\n```bash\n# generate parent key\n$ cellar generate -i \"apps\"\nPassword: [hidden]\nKey for apps: 6CAakhEv_L2purgTfUasrvA9qgRZrQGdETDohSbBvNI\n\n# generate app key by using parent key\n$ cellar generate -i \"my/awesome/app\" --use-parent-key\nParent Key: [hidden]\nKey for my/awesome/app: ZFqgQZK4Sx4GgwLn9D-qmhYE5gw0QbUSl4I8HaTseZs\n\n# it would be the same as generate the whole hierarchical key with master password\n$ cellar generate -i \"apps/my/awesome/app\"\nPassword: [hidden]\nKey for apps/my/awesome/app: ZFqgQZK4Sx4GgwLn9D-qmhYE5gw0QbUSl4I8HaTseZs\n```\n\n## Benchmark\n\nIf you'd run benchmark for cellar, use `make bench_cellar`. Argon2 will make the generation of the stretched key slow on purpose, the the default sample size would make the benchmark unbearly slow. An application password generation would spend around 18ms in my 2017 mbp.\n\n```bash\n$ make bench_cellar\ncargo bench --bench bench_cellar --  --sample-size 10\n   Compiling cellar-core v0.1.0 (/Users/tchen/projects/mycode/cellar/cellar-core)\n    Finished bench [optimized] target(s) in 3.92s\n     Running /Users/tchen/.target/release/deps/bench_cellar-f87c142f98bb458c\napp key                 time:   [17.812 ms 17.970 ms 18.161 ms]\n                        change: [-1.8875% -0.3966% +1.2260%] (p = 0.65 \u003e 0.05)\n                        No change in performance detected.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftyrchen%2Fcellar","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftyrchen%2Fcellar","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftyrchen%2Fcellar/lists"}