Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 16 additions & 10 deletions .github/workflows/vetkeys-password-manager.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ on:
- master
pull_request:
paths:
- motoko/vetkeys/password_manager/**
- rust/vetkeys/password_manager/**
- .github/workflows/vetkeys-password-manager.yml

Expand All @@ -14,23 +15,28 @@ concurrency:
cancel-in-progress: true

jobs:
rust:
motoko:
runs-on: ubuntu-24.04
container: ghcr.io/dfinity/icp-dev-env-rust:1.0.1
container: ghcr.io/dfinity/icp-dev-env-motoko:1.0.1
env:
ICP_CLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Deploy Password Manager Rust
working-directory: rust/vetkeys/password_manager/rust
run: icp network start -d && icp deploy
motoko:
- name: Deploy
working-directory: motoko/vetkeys/password_manager
run: |
icp network start -d
icp deploy

rust:
runs-on: ubuntu-24.04
container: ghcr.io/dfinity/icp-dev-env-motoko:1.0.1
container: ghcr.io/dfinity/icp-dev-env-rust:1.0.1
env:
ICP_CLI_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Deploy Password Manager Motoko
working-directory: rust/vetkeys/password_manager/motoko
run: icp network start -d && icp deploy
- name: Deploy
working-directory: rust/vetkeys/password_manager
run: |
icp network start -d
icp deploy
Comment thread
marc0olo marked this conversation as resolved.
75 changes: 75 additions & 0 deletions motoko/vetkeys/password_manager/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# VetKey Password Manager (Motoko)

[View this sample's code on GitHub](https://github.com/dfinity/examples/tree/master/motoko/vetkeys/password_manager)

Also available in: [Rust](../../../rust/vetkeys/password_manager)

The **VetKey Password Manager** is an example application demonstrating how to use **VetKeys** and **Encrypted Maps** to build a secure, decentralized password manager on the **Internet Computer (IC)**. This application allows users to create password vaults, store encrypted passwords, and share vaults with other users via their **Internet Identity Principal**.

## Features

- **Secure Password Storage**: Uses VetKey to encrypt passwords before storing them in Encrypted Maps.
- **Vault-Based Organization**: Users can create multiple vaults, each containing multiple passwords.
- **Access Control**: Vaults can be shared with other users via their **Internet Identity Principal**.

## Build and deploy from the command line

### Prerequisites

- Install [Node.js](https://nodejs.org/en/download/)
- Install [icp-cli](https://cli.internetcomputer.org): `npm install -g @icp-sdk/icp-cli @icp-sdk/ic-wasm`
- Install [ic-mops](https://mops.one): `npm install -g ic-mops`

### (Optionally) choose a different master key

This example uses `test_key_1` by default. To use a different [available master key](https://docs.internetcomputer.org/concepts/vetkeys/#api-overview), change the `init_args` value in `icp.yaml` before deploying.

### Install

```bash
git clone https://github.com/dfinity/examples
cd examples/motoko/vetkeys/password_manager
```

### Deploy

```bash
icp network start -d
icp deploy
```

Open the frontend URL printed by `icp deploy`.

To run the frontend in development mode with hot reloading (after `icp deploy`):

```bash
npm run dev
```

When done, stop the local network to free up the port for other projects:

```bash
icp network stop
```

## Example components

### Backend (`backend/`)

An **Encrypted Maps**-enabled Motoko canister that securely stores passwords.

> **Note on naming.** The backend methods are snake_case (rather than the usual Motoko camelCase) because the `@icp-sdk/vetkeys` Encrypted Maps client calls the canister by these exact names — renaming them would break the frontend. The delegation methods are hand-written for now; an upstream Motoko actor mixin that generates this endpoint set automatically is in progress ([dfinity/vetkeys#405](https://github.com/dfinity/vetkeys/pull/405)).
### Frontend (`frontend/`)

A **Svelte** application providing a user-friendly interface for managing vaults and passwords. It talks to the backend through the `@icp-sdk/vetkeys` Encrypted Maps client.

## Limitations

This example app does not implement key rotation, which is strongly recommended in a production environment. Key rotation involves periodically changing encryption keys and re-encrypting data to enhance security. In a production app, key rotation would be useful to limit the impact of a potential key compromise, or to limit access when users are added to or removed from sharing.

## Additional resources

- **[Password Manager with Metadata](../../../rust/vetkeys/password_manager_with_metadata)** — if you need to store additional metadata alongside passwords.
- **[What are VetKeys](https://docs.internetcomputer.org/concepts/vetkeys)** — more information about VetKeys and VetKD.
- [Security best practices](https://docs.internetcomputer.org/guides/security/overview/)
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,15 @@ import Blob "mo:core/Blob";
import Result "mo:core/Result";
import Array "mo:core/Array";

persistent actor class (keyName : Text) {
let encryptedMapsState = IcVetkeys.EncryptedMaps.newEncryptedMapsState<Types.AccessRights>({ curve = #bls12_381_g2; name = keyName }, "password_manager_example_dapp");
// This canister exposes the Encrypted Maps interface. Its public methods are
// intentionally snake_case (not the usual Motoko camelCase) because the
// `@icp-sdk/vetkeys` Encrypted Maps client calls the canister by these exact
// names — renaming them to camelCase would break the frontend. The delegation
// methods below are hand-written today; an upstream Motoko actor mixin that
// generates this endpoint set automatically is in progress
// (https://github.com/dfinity/vetkeys/pull/405).
actor class (keyName : Text) {
let encryptedMapsState = IcVetkeys.EncryptedMaps.newEncryptedMapsState<Types.AccessRights>({ curve = #bls12_381_g2; name = keyName }, "password_manager_example_app");
transient let encryptedMaps = IcVetkeys.EncryptedMaps.EncryptedMaps<Types.AccessRights>(encryptedMapsState, Types.accessRightsOperations());

/// In this canister, we use the `ByteBuf` type to represent blobs. The reason is that we want to be consistent with the Rust canister implementation.
Expand Down
98 changes: 98 additions & 0 deletions motoko/vetkeys/password_manager/backend/backend.did
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
type _anon_class_9_1 =
service {
get_accessible_shared_map_names: () ->
(vec record {
principal;
ByteBuf;
}) query;
get_all_accessible_encrypted_maps: () -> (vec EncryptedMapData) query;
get_all_accessible_encrypted_values: () ->
(vec record {
record {
principal;
ByteBuf;
};
vec record {
ByteBuf;
ByteBuf;
};
}) query;
get_encrypted_value: (map_owner: principal, map_name: ByteBuf, map_key:
ByteBuf) -> (Result_2) query;
get_encrypted_values_for_map: (map_owner: principal, map_name: ByteBuf) ->
(Result_5) query;
get_encrypted_vetkey: (map_owner: principal, map_name: ByteBuf,
transport_key: ByteBuf) -> (Result_4);
get_owned_non_empty_map_names: () -> (vec ByteBuf) query;
get_shared_user_access_for_map: (map_owner: principal, map_name:
ByteBuf) -> (Result_3) query;
get_user_rights: (map_owner: principal, map_name: ByteBuf, user:
principal) -> (Result) query;
get_vetkey_verification_key: () -> (ByteBuf);
insert_encrypted_value: (map_owner: principal, map_name: ByteBuf, map_key:
ByteBuf, value: ByteBuf) -> (Result_2);
remove_encrypted_value: (map_owner: principal, map_name: ByteBuf, map_key:
ByteBuf) -> (Result_2);
remove_map_values: (map_owner: principal, map_name: ByteBuf) -> (Result_1);
remove_user: (map_owner: principal, map_name: ByteBuf, user: principal) ->
(Result);
set_user_rights: (map_owner: principal, map_name: ByteBuf, user:
principal, access_rights: AccessRights) -> (Result);
};
type Result_5 =
variant {
Err: text;
Ok: vec record {
ByteBuf;
ByteBuf;
};
};
type Result_4 =
variant {
Err: text;
Ok: ByteBuf;
};
type Result_3 =
variant {
Err: text;
Ok: vec record {
principal;
AccessRights;
};
};
type Result_2 =
variant {
Err: text;
Ok: opt ByteBuf;
};
type Result_1 =
variant {
Err: text;
Ok: vec ByteBuf;
};
type Result =
variant {
Err: text;
Ok: opt AccessRights;
};
type EncryptedMapData =
record {
access_control: vec record {
principal;
AccessRights;
};
keyvals: vec record {
ByteBuf;
ByteBuf;
};
map_name: ByteBuf;
map_owner: principal;
};
type ByteBuf = record {inner: blob;};
type AccessRights =
variant {
Read;
ReadWrite;
ReadWriteManage;
};
service : (keyName: text) -> _anon_class_9_1
2 changes: 2 additions & 0 deletions motoko/vetkeys/password_manager/frontend/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
node_modules/
dist/
14 changes: 14 additions & 0 deletions motoko/vetkeys/password_manager/frontend/index.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<link rel="icon" type="image/svg+xml" href="/vite.svg" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>VetKeys Password Manager</title>
</head>
<body>
<div id="app"></div>
<script type="module" src="/src/main.ts"></script>
<link rel="stylesheet" href="./bundle.css" />
</body>
</html>
35 changes: 35 additions & 0 deletions motoko/vetkeys/password_manager/frontend/package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{
"name": "frontend",
"private": true,
"type": "module",
"scripts": {
"prebuild": "npm i --include=dev",
"dev": "vite",
"build": "vite build",
"preview": "vite preview"
},
"devDependencies": {
"@rollup/plugin-typescript": "^12.1.2",
"@tsconfig/svelte": "^5.0.4",
"@typewriter/delta": "^1.2.4",
"daisyui": "^4.12.23",
"svelte": "^4.2.19",
"tslib": "^2.8.1",
"vite": "^5.4.21"
},
"dependencies": {
"@icp-sdk/auth": "^7.1.0",
"@icp-sdk/core": "^5.4.0",
"@icp-sdk/vetkeys": "^0.5.0-beta.0",
"@popperjs/core": "^2.11.8",
"@sveltejs/vite-plugin-svelte": "^3.0.2",
"@tailwindcss/postcss": "^4.0.6",
"@tailwindcss/vite": "^4.0.0",
"autoprefixer": "^10.4.20",
"rollup-plugin-css-only": "^4.5.2",
"svelte-icons": "^2.1.0",
"svelte-spa-router": "^4.0.1",
"tailwindcss": "^3.0.17",
"typewriter-editor": "^0.9.4"
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
[
{
match: "**/*",
security_policy: "hardened",
headers: {
"Content-Security-Policy": "default-src 'self';script-src 'self';connect-src 'self' http://localhost:* https://icp0.io https://*.icp0.io https://icp-api.io;img-src 'self' data:;style-src * 'unsafe-inline';object-src 'none';base-uri 'self';frame-ancestors 'none';form-action 'self';upgrade-insecure-requests;",
},
allow_raw_access: false
},
]
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
1 change: 1 addition & 0 deletions motoko/vetkeys/password_manager/frontend/public/vite.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 13 additions & 0 deletions motoko/vetkeys/password_manager/frontend/src/App.svelte
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
<script lang="ts">
import Hero from "./components/Hero.svelte";
import LayoutAuthenticated from "./components/LayoutAuthenticated.svelte";
import Notifications from "./components/Notifications.svelte";
import { auth } from "./store/auth";
</script>

{#if $auth.state === "initialized"}
<LayoutAuthenticated />
{:else}
<Hero auth={$auth} />
{/if}
<Notifications />
3 changes: 3 additions & 0 deletions motoko/vetkeys/password_manager/frontend/src/app.css
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
@tailwind base;
@tailwind components;
@tailwind utilities;
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
<script lang="ts">
import { fly } from "svelte/transition";
import DisclaimerCopy from "./DisclaimerCopy.svelte";
let isDismissed = !!window.localStorage.getItem("disclaimer-dismissed");

function dismiss() {
window.localStorage.setItem("disclaimer-dismissed", "yes");
isDismissed = true;
}
</script>

{#if !isDismissed}
<div
class="sticky bottom-0 p-4 text-xs bg-base-300 mt-4 sm:flex"
out:fly={{ y: 50 }}
>
<p class="opacity-90 sm:flex-1">
<DisclaimerCopy />
</p>

<button
class="btn btn-outline btn-xs sm:btn-sm sm:self-start mt-4 sm:mt-0 sm:ml-4 opacity-90"
on:click={dismiss}>I understand</button
>
</div>
{/if}
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
<script lang="ts"></script>

<strong>Disclaimer:</strong> This sample app is intended exclusively for experimental
purpose. You are advised not to use this app for storing your critical data such
as keys or passwords.
Loading
Loading