danielinux/Motenpoche
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

README cosmetics

Browse source
This commit is contained in:
Daniele Lacamera 2023-06-10 10:41:48 +02:00
parent ff87415c1c
commit 11b1951b2a
1 changed files with 23 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

37
README.md
View file

@ -2,20 +2,28 @@
Motenpoche ([mot-ɑ̃-pɔʃ] - like in *"Mot en poche"*, French for "word in [your] pocket")
is a physical password vault to carry around your secrets securely. Once connected
to a PC and unlocked with a main passphrase and it will automatically paste
passwords selected from your collection.
to a PC and unlocked with a main passphrase it will paste passwords selected from
your collection by pressing a button.
Passwords can be provisioned with the help of a host-side command line tool that
can be run on a GNU/Linux PC.
can be run on a GNU/Linux PC, either one by one or importing from an existing
(software) vault.
## Status
This project is still in an early alpha phase and has not been properly tested yet.
Use at your own risk, no guarantee provided on loss of secret information, service
profiles, bank details or other relevant information. The author and the
contributors recommends not to use this software for any purpose rather than
security auditing, research and study, and they cannot be held responsible or any
damage of any kind resulting from any proper or improper use.
There are in particular, the following known security issues:
- No proper string boundary check
- No proper serial protocol hardening
- Incomplete password wiping from memory after use
Use at your own risk, no guarantee provided on loss of secret data, service
profiles, bank details or other relevant information that have been stored on the
device. The author and the contributors recommend not to use this software for any
purpose other than security auditing, research and study, and they cannot be held
responsible or any damage of any kind resulting from any proper or improper use.
## Software License
@ -32,6 +40,8 @@ my password database if I want to access services when I'm abroad.
This system was created to have a temporary physical storage that can be carried
around (and lost, or forgotten on a public transportation...) with reduced risk.
More features may be available in the future based on user experience.
## Hardware design
The design is based on the rp2040 "Raspberry Pi Pico" board, with a few components
@ -61,7 +71,6 @@ software in this repository:
| GPIO26 | FUNC\_I2C | I2C Display SDA | none (automatic pull-up) |
| GPIO27 | FUNC\_I2C | I2C Display SCL | none (automatic pull-up) |
## How it works
The siple idea behind it is that the device does not carry any secret in plain
@ -70,11 +79,11 @@ unique keys created when the device is initialized.
The encryption key is symmetrical (ChaCha) and can be derived on board using the
main passphrase, which is entered through the rotary and the confirm button.
The signature key (Ecc256) is created during device initialization on the PC. The
key is used to sign the passwords to be added to the vault.
The signature key (ECC256) is created during device initialization on the PC that
holds it. The key is then used to sign the passwords to be added to the vault.
Passwords can be provisioned using the host tool, either manually or importing
them from a CSV file, previously exported from e.g. a software password manager
Passwords can be provisioned using the host tool, either one by one, or importing
from a CSV file previously exported from, e.g. a software password manager
or a web browser.
When the device is unlocked, selecting the service needed from the "Services" menu
@ -107,7 +116,7 @@ database. Uploading a single password may take a few seconds because the device
verifies that the source of the information is trusted.
### What does the PC see
### What does the PC see?
When you connect motenpoche to your PC, it will show up as three different
devices: