Introducing Fortanix DSM Password Manager

You may find this blog as “yet another password manager” blog, and maybe it’s true. Knowing there are many options available for a secure password manager is a good position to be in, certainly for anyone who’s got hundreds if not thousands of passwords for various web and system administration.

When I first came across Fortanix Data Security Manager early last year (when I first joined the young company), I came to know that it can also act as a Secrets Management tool with a HSM grade security for the secrets storage. Knowing that the online SaaS service hosted Equinix is both SOC and PCI compliant, I wanted to see how well it can act as a replacement to my current and future password management needs.

Introducing the Fortanix DSM Password Manager v0.3.0 or DSMPass for short!

You may be more familiar with the Web UI that Fortanix DSM provides to fetch your passwords or secrets:

Secrets management UI

But for me personally, a command line tool that works on my Mac, Linux or WSL terminal would be easier to fetch or create new passwords or secrets in my DSM environment.

If you are already a customer of Fortanix, head over to support.fortanix.com to ask for a copy of the DSMPass tool. Today, the tool isn’t quite browser ready, yet (since it’s all command line based), and it means it’s still in private beta. But I hope some day soon this becomes a tool that can be used by consumers on browsers and perhaps on mobile devices at some stage.

For now, let’s take a look at how this works on the command line.

Installation / Setup

Installing DSMPass is as simple as copying the executable file somewhere accessible. On a Mac or Linux system, this typically is your “/usr/local/bin” directory, or in Windows - you just need to set the %PATH% environment variable to a folder of your choice.

Installation

Once the DSMPass executable has been copied, you then can run the dsmpass command:

$ dsmpass
Print the contents of the DSM Password Manager.

If you have not yet initialized your DSM Password Manager, it is necessary to run the init command in order to create your dsmpass directory, and initialise/synchronise your DSM account and secrets.

Usage:
  dsmpass [flags]
  dsmpass [command]

Available Commands:
  create-secret Create a secret in DSM Password Manager.
  db            Manage database secret in DSM Password Manager.
  help          Help about any command.
  init          Initialize DSM Password Manager.
  remove        Remove a secret from DSM Password Manager.
  show-secret   Show a secret in DSM Password Manager.
  show-ssh      Print a SSH public key in DSM Password Manager.
  sync          Synchronise all secrets in DSM Password Manager.
  version       Print the version of DSM Password Manager.

Flags:
 -h, --help  help for dsmpass

Use "dsmpass [command] --help" for more information about a command.

If this is the first time running the command on your system, you’ll be greeted with a simple help screen as per the above. In order for DSMPass to work, it needs to initialise your connection to your Data Security Manager:

$ dsmpass init
Please enter DSM endpoint: your endpoint
Please enter account: your account_id
Please enter username: your email
Please enter password: your password
Please enter master password: your master password
Created directory to store DSM Password Manager config: /path/to/home/.dsmpass
DSM Password Manager successfully initialised.

You’ll notice that a metadata folder “/path/to/home/.dsmpass” has been created. The way the DSMPass works is that it encrypts your endpoint, account id, username and password locally (all secured using your master password), but the secrets are actually stored on the Fortanix Data Security Manager. So you’ll know that no passwords/secrets are ever stored on anyone’s local system - only the reference or the metadata to the passwords/secrets are stored.

Once the DSMPass has been initialised, you can now start generating or deleting passwords/secrets as you need. If you already have some secrets created in your Data Security Manager tenant or if you are setting up DSMPass on a new laptop you are using, simply synchronise the metadata:

$ dsmpass sync
Enter master password: 
U2F Authentication is enabled.
Failed to find any devices

If you don’t have 2FA enabled, then this would have synchronised all your passwords/secrets from Fortanix Data Security Manager. In my case, my Data Security Manager account has 2FA enabled with my U2F Yubikey, hence it complained that my laptop couldn’t find any U2F devices. Plugin your Yubikey and attempt to do a sync again:

$ dsmpass sync
Enter master password: 
U2F Authentication is enabled.
Waiting for Authentication..

After I press the button on the Yubikey, my passwords/secrets should have synchronised:

$ dsmpass
.
├──Some_Test
| └──some.example.com

DSMPass is finally initialised! Let’s see how it all works!

DSMPass Usage

Let’s start with a password / secrets generation. The command is: “create-secret”. If you ever get the commands wrong for whatever reason, you’ll note that it will suggest the correct command:

	$ dsmpass create
Error: unknown command "create" for "dsmpass"

Did you mean this?
 create-secret

Run 'dsmpass --help' for usage.

So we’ll try with the correct command and the usage is simple: *“create-secret "*. Again, I'll need to authenticate using my U2F key as well:

$ dsmpass create-secret test example.com someone@example.com
Enter master password: 
U2F Authentication is enabled.
Waiting for Authentication..

For some instances, you might already have a password/secret you want to manually store. You can use the ”–supply / -s” to manually provide this:

$ dsmpass create-secret test name.example.com username -s
Enter password for name.example.com: 
Enter master password:
U2F Authentication is enabled.
Waiting for Authentication..
	

Once created, you’ll notice that the password/secret has been automatically created and I can also show this as well using the “show-secret” command. For every one of these sensitive commands, I’ll need to enable the U2F button:

$ dsmpass
.
├──test
| └──example.com

$ dsmpass show-secret test example.com
Enter master password: 
U2F Authentication is enabled.
Waiting for Authentication..
Username: someone@example.com
Password: redacted

If you prefer to copy the password to your clipboard you can always use the “-c” option:

$ dsmpass show-secret test example.com -c

This will only show the username on your console and the password/secret would be copied to your clipboard.

We can also remove or delete a password or secret in case you no longer require it. Simple “remove” command will suffice

$ dsmpass remove test example.com
Enter master password:
U2F Authentication is enabled.
Waiting for Authentication..

And now the password/secret is gone:

$ dsmpass
.

Do note, once the password/secret is deleted, it’ll also be deleted within the Fortanix DSM as well. All is audit logged as it should:

Secret is gone

Some may have noticed in the help command there are other commands to the DSMPass such as “db”, “show-ssh” and so on. I’ll look to cover these on another blog post very shortly.

For now, feedback is welcome and let us know what you think of the latest DSM Password Manager!

Share this post:

Get our blog updates in your inbox: