WebVault Pro is a self-hosted/on-prem web based password safe with multi-language and multi-user support focused on enterprise usage. Password entries are stored AES encrypted in a MySQL database, and the AES key is RSA encrypted for every permitted user. Decryption only happens in the user's browser, providing true end-to-end encryption.
In contrast to conventional password safes, keys to the stored secrets are not encrypted with one static password, but with an individual per-user generated public/private key pair. This is done having enterprise usage in mind: employees should only have access to passwords they need as defined by group memberships, and not to the entire password safe. With this, there is no need to share a common master password which needs to be changed after one employee leaves the company.
LDAP authentication allows seamless integration into your companies environment. Access to the passwords can immediately be denied by disabling the LDAP user account. Beside using WebVault Pro as private/personal password store, a flexible share function allows you to share passwords or entire password groups with specific co-workers or groups of users.
There is no database file which needs to be shared with all employees. Nobody except the administrator has access to the encrypted passwords. Attackers can't copy the user keys or encrypted passwords to run efficient brute force attacks against them.
Since de-/encryption only happens on the client side, passwords are still save since even if the communication between server and client is intercepted.
The web app is independent of the client platform and it is not necessary to install or deploy any client software.
Linux based server (Debian recommended) with Apache 2, PHP 7.4+ and MySQL/MariaDB. An LDAP server is recommended since this app is mainly intended for usage with LDAP authentication.
apt install apache2 libapache2-mod-php php php-ldap composer
public
directory as the webserver root directory (if necessary, create a virtual host for this application on your webserver).AllowOverride All
is set for your application directory in your Apache configuration.composer install
inside the application root directory to install the dependencies.sql/SCHEMA.sql
file.
root@server:/# mysql
mysql> CREATE DATABASE pwsafe DEFAULT CHARACTER SET utf8mb4;
mysql> CREATE USER 'pwsafe'@'localhost' IDENTIFIED BY 'choose_your_own_password';
mysql> GRANT ALL PRIVILEGES ON pwsafe.* TO 'pwsafe'@'localhost';
mysql> FLUSH PRIVILEGES;
mysql> EXIT;
root@server:/# mysql -D pwsafe < sql/SCHEMA.sql
config/settings.php
from config/settings.php.example
and enter your MySQL connection credentials, LDAP connection parameters and adjust other settings if you like. Read the comments in the example file for more information.php bin/ldapsync.php
and set up a cron job as described in the example config file.php bin/user.php create USERNAME DISPLAY_NAME PASSWORD
.
Note that local accounts are only intended for testing or emergency purposes (you can add the local account to a user group of your top-level password folder so that every password gets encrypted to the local user too - this allows you to access passwords even if your LDAP server isn't working anymore).Don't forget to backup your database regularly, e.g. by executing mysqldump pwsafe > backup.sql
via crontab. Save the file on another, secure storage!
fail2ban
to limit brute force attacks.unattended-upgrades
.Crypto API capable browser with Javascript enabled
Since the concept and database schema of WebVault Pro differs completely from v0.x ("WebPW"), there is no direct upgrade path. You need to manually export and re-import your passwords in the new version.
The user account doesn't have a keypair yet. Users need to log in once before passwords can be shared with them.
You need support or specific adjustments for your environment? You can hire me to extend this project to your needs. Please contact me if you are interested.
Found a bug? Great! Please report it (preferably with a ready-to-use fix as pull request) on GitHub. Questions, ideas, feature requests or just (hopeful positive) feedback is also welcome.