https://shroudlabs.tech

I got bored and decided to figure out webapps. Hosting something I find useful. Feel free to poke at it and tell me why it sucks and what breaks

Cool tools, but I think I would probably actually murder a co-worker if he generated/ encrypted secret information from a website like this with zero reputation. Or even a website with a good reputation, for that matter. Everything crypto like this needs to be local and trusted as much as possible/ reasonable.

Yeah, you either have to trust me or read the code. All the cryptography is done locally in the browser, nothing goes server side. I don't really know how you build that kind of trust, but these are all tools I needed in my day to day life, so I made them pretty

Dead drop for password sharing for those costly accounts leadership won't upgrade to enterprise for

Runekey for ec2 ssh keys, pass gpg key, and for my homelab wireguard setup.

Cipherstash for doing stupid shit like backing up your cyrpto seed phrase in google drive with some resemblence of safety.

And artifact warden for dealing with big CVEs and supply chain attacks for your team, prod environments, and any other places you hook shit up like GH action runners.

If you have some ideas on how to build trust up, I'll take em.

Maybe some data flow diagrams would help?

@lungdart you might need to think up or implement clever zero-trust solutions like haveibeenpwned.com does for password checking. Way above my paygrade.

@AlgoRythm I wasn't aware haveibeenpwned was zero trust. I assume they could see your password.

Pretty neat set of tools. I'm not sure if I like the idea of generating SSH/GPG keys from a passphrase. Seems like that can lower your entropy, but I generally like the idea of self-hostable tools.

Cool. I just encrypted a nude. It looks very nice. Did you design it yourself or did some vibii for that? In both cases good job.

@AlgoRythm I actually trust a smoll one more than a big one.

@AlgoRythm I would trust rather a small VPN more than a big one. Bevause they probably already knocked on the door of the big one "It's time for a backdoor.". The corruption comes when providere become big I guess.

@djsumdog Entropy can be lower with smaller passphrases for sure. But thats still better then putting your SSH private key on confluence for all your devs to get access to AWS instances for debugging (Yes I've seen that happen...)

@whimsical I can't design shit. Logic and algorithms, no prob. Making something look nice? Thank god for AI.

I've added a security model section and dataflow diagrams for each tool, if that helps build trust.

https://shroudlabs.tech/docs/...

@lungdart They have access to all the leaked data, but if you want to check your password, they (currently or at least used to) offer an API that goes like this:

-You are responsible for hashing your password/ text locally

-You send the final `n` bits of the hash

-Haveibeenpwned sends back a list of all passwords with matching partial hashes

-You are responsible for going through the list and checking if your specific hash is present

If so, you have been pwned

It's a service intended for enterprises to make sure employees don't use cracked passwords.

@AlgoRythm Cool, didn't know they offered that kind of API functionality. Thats kind of how I implemented things on my end. The web browser does all the crypto stuffs, The server is just a nice UI around it.