Keep sensitive info out of your email & chat logs. https://onetimesecret.com/
865
Keep sensitive info out of your email & chat logs.
Dockerized One-Time Secret (DOTS) is based off of One-Time Secret (OTS) version 0.10.0. We saw the need to upgrade Ruby from 1.9.3, and several outdated gems with vulnerabilies (as identified by Gemnasium), and in the process of making these upgrades and deploying the application internally, elected to use Docker and Docker compose. The following changes were made over v0.10.0:
* upgraded Ruby from 1.9.3 to 2.4.1
* upgraded the following insecure gems
* rack
* mail
* httparty
* upgraded Redis from 2.6 to 3.2
There remain other outdated gems, but we minimized non-critical changes, with the goals of avoiding the alteration of application code (and the accompanying debugging work).
This container is also avaiable from DockerHub under the name 'civisanalytics/onetimesecret', which builds automatically from the 'dockerized' branch of this repository.
In order to build the container locally, cd into the directory and run docker build -t onetimesecret . Also included in this repository is the docker-compose.yaml file needed to stand up the environment.
A one-time secret is a link that can be viewed only one time. A single-use URI.
When you send people sensitive info like passwords and private links via email or chat, there are copies of that information stored in many places. If you use a one-time link instead, the information persists for a single viewing which means it can't be read by someone else later. This allows you to send sensitive information in a safe way knowing it's seen by one person only. Think of it like a self-destructing message.
# DEBIAN
$ sudo apt-get update
$ sudo apt-get install build-essential
$ sudo apt-get install ntp libyaml-dev libevent-dev zlib1g zlib1g-dev openssl libssl-dev libxml2 libreadline-gplv2-dev
$ mkdir ~/sources
# CENTOS
$ sudo yum install gcc gcc-c++ make libtool git ntp
$ sudo yum install openssl-devel readline-devel libevent-devel libyaml-devel zlib-devel
$ mkdir ~/sources
$ cd ~/sources
$ curl -O ftp://ftp.ruby-lang.org/pub/ruby/1.9/ruby-1.9.3-p362.tar.gz
$ tar zxf ruby-1.9.3-p362.tar.gz
$ cd ruby-1.9.3-p362
$ ./configure && make
$ sudo make install
$ sudo gem install bundler
$ cd ~/sources
$ curl -O http://download.redis.io/releases/redis-2.6.17.tar.gz
$ tar zxf redis-2.6.17.tar.gz
$ cd redis-2.6.17
$ make
$ sudo make install
$ sudo adduser ots
$ sudo mkdir /etc/onetime
$ sudo chown ots /etc/onetime
$ sudo su - ots
$ [download onetimesecret]
$ cd onetimesecret
$ bundle install --frozen --deployment --without=dev
$ bin/ots init
$ sudo mkdir /var/log/onetime /var/run/onetime /var/lib/onetime
$ sudo chown ots /var/log/onetime /var/run/onetime /var/lib/onetime
$ mkdir /etc/onetime
$ cp -R etc/* /etc/onetime/
$ [secure the /etc/onetime and /var/lib/onetime directory to prevent unauthorized access]
$ [edit settings in /etc/onetime/config]
$ [edit settings in /etc/onetime/redis.conf]
$ redis-server /etc/onetime/redis.conf
$ bundle exec thin -e dev -R config.ru -p 7143 start
We include a global secret in the encryption key so it needs to be long and secure. One approach for generating a secret:
dd if=/dev/urandom bs=20 count=1 | openssl sha1
Upgrading to 0.9 should be seemless, however b/c of new functionality you will need to add the following to your config file:
:incoming:
:enabled: true
:email: example@onetimesecret.com
:passphrase: CHANGEME
:regex: \A[a-zA-Z0-9]{6}\z
:locales:
- en
- es
- de
- nl
You run your configuration from /etc/onetime/config you will also need to copy the ./etc/locale directory to /etc/onetime/locale:
$ cd /path/2/onetimesecret
$ sudo cp -r etc/locale /etc/onetime/
docker pull civisanalytics/onetimesecret