Data encryption in Teampass
Encryption is performed on
custom fields. In other words the password strings stored by the users are encrypted in the database and cannot be discovered.
All other fields are in clear text in the database.
Encryption is performed using Cipher AES with a 128 bits block size relying on Cipher Block Chaining (CBC). This technique uses:
Initialization Vector(IV) which is generated for each new encryption
saltkeywhich is defined by the Administrator of Teampass (and asked during installation) for all public Items. Notice that if you are using
Personal Foldersthen each Teampass user defines his own saltkey.
This guarantees that each cleartext string is encrypted and stored with a different message (even if the stored cleartext strings are the same). So the database never contains the same encrypted string.
A lot of very interesting webpages exist on this topic that explain how encryption works much better than I could do.
Based on this encryption mode, each password is stored in the database in 2 separate fields. Field
string receives the password encrypted with the saltkey stored inside field
As said before, the encrypted string is the result of the encryption operation made with the
saltkey and the generated
IV. And those 2 keys are needed to decrypt the string.
In Teampass, the main
saltkey used for items created in public folders is stored in a text file. During the installation, it is expected to indicate the path where this file will be stored.
The advice is to store it outside the WWW domain of your server.
This advice is very important. Indeed if a hacker gets access to your database, he will not be able to decrypt the passwords as the saltkey is not accessible.
The special case of Personal Items
It is important to know that if a User loses his personal saltkey there is no possibility to restore his own personal items. The associated passwords will be lost.