Is this project still active?

[FoxxMD]

I love the idea of hereditas and I want to use it but the readme still says its in alpha and there haven't been any commits in about a year. Is the project still being developed?

[ItalyPaleAle]

It's not abandoned!

I just haven't had the time (or even need) to put any work on this. Which is good in a way - Hereditas is meant to be a low maintenance thing :)

Anything you're looking for in particular?

[FoxxMD]

Thanks for the fast reply!

My real question is: if I drop an hereditas app, in its current form, onto a publicly accessible digital ocean droplet how confident can I be in the security of my data?

We won't release a stable (e.g. "1.0") version of Hereditas until we're confident that enough people and cryptography experts have audited and improved the code.

Have there been audits? What kind of testing has been done? Are there current issues you think need to be addressed before I can sleep soundly having a hereditas box be publicly accessible?

[ItalyPaleAle]

I totally understand your concerns here and they're very valid. The best thing I can tell you is that out there on the Internet, there's a hereditas box with my own data too.

The point about requiring auditing is something I stand behind, but it's first and foremost there as a disclaimer (just like Hereditas' license having a "no warranty" disclaimer in there). A professional auditing is quite expensive and as Hereditas is a personal OSS project, I do not have the ability to fund that. Although I have a passion for cryptography (and have written a book about it!) I am not a cryptographer by training, just a software engineer, and I would welcome any offer to do an auditing from community members who are expert cryptographers.

Thus said, there should be enough in hereditas as it is today that should allow you to sleep comfortably at night, or at least without worrying about Hereditas :) At the very least, data in Hereditas is enciphered with AES-GCM with a 256-bit key, which is highly secure and is allowed by the NIST to encrypt data up to the "top secret" classification (and it should be "quantum safe" too). The likelihood of someone being able to decrypt your data, even if they managed to get the raw encrypted blobs, is zero. More likely attacks are those that try and target the encryption keys, and for that it's very important that you choose a secure passphrase. Hereditas uses Argon2 for stretching the passphrase, which is the state-of-art key derivation function. You can read the full security model here: https://hereditas.app/introduction/security-model.html

At this point, although I do have some ideas for how to improve Hereditas, they're all about tooling and do not have an impact on security. Biggest idea (for which I have zero time :) ) is to get rid of Webpack and use esbuild instead, and rewrite the CLI in Go so it's statically-compiled.

(PS: A droplet may be more than you need - Spaces is probably enough!)

[FoxxMD]

Appreciate the thorough response!