Set Up Enpass With HTTPS Protected WebDAV and Ditch LastPass

It’s time to ditch cloud based password managers. There.. I said it. What we are doing when we use them is giving ownership and management of our trusted secrets to someone else, and hoping that they will be able to protect them from bad guys, and make sure they are available when we need them.

That’s a heck of an ask, isn’t it? I’ve been a LastPass customer for a very, very long time.. I use it to share secrets with my family, I use it on my mobile device to log into apps. It’s a safe bet to say it’s a critical piece of how I operate, and they have never once let me down. That said, if they asked for money to continue using their service, I’d have to pay. If they had a security event where secrets were compromised or if they lost my data, I’d be in very, very bad shape.

In this article, I will talk about how to set up a WebDAV share that’s protected by HTTPS using Traefik, Let’s Encrypt, and a WebDAV container on your own server, and use it to sync your secrets with devices.

Before I begin, it’s important to understand that using WebDAV isn’t the only way to sync your secrets with Enpass. There are others:

  • Dropbox
  • Google Drive
  • OneDrive (Personal/Business)
  • iCloud
  • Box
  • Folder sync

Base Server Set Up

Get a VPS

First thing we need is a server that is public internet facing. The easiest way to do this is to use a service that provides virtual private servers. I like Vultr because of their price/performance/feature availability ratio. They are cheaper than DigitalOcean and AWS, as easy, if not easier to manage, and have the scale you need to put your data pretty much wherever you want. If you do use Vultr, please do me a favor and use this link to sign up. I’ll get a little kickback, but you’ll get $100 USD to use on the site in your first month.

The OS doesn’t really matter, as long as you can install docker on it. A very small VPS will suffice, and mine costs $3.50 USD/Month.

Harden the OS

I won’t go into very much depth with this subject, but here are a few general guidelines:

  • Disable root login via SSH
  • Require public key authentication for SSH sessions
  • Enable multi factor authentication for your remote user
  • Only install packages you need
  • Ensure all updates are installed, and continue to do so on a regular basis

Set Up Docker, Traefik, and WebDAV

All code is on the GitHub repository I use to share all code for this site. You can find it here: https://github.com/jonhowe/Virtjunkie.com/tree/master/DitchLastPass

First and foremost, this will not be a tutorial on how to administer Docker, WebDAV, or especially Traefik, but I’ll give you the exact steps and code for setting this up yourself, and provide some links at the end you can use to learn more about these topics.

All of the following steps will be executed on your VPS, so please sure you are connected to it via SSH or a similar terminal window.

We’ll be using an external docker bridge network in this configuration, the following command will create it

Create Traefik Configuration

First of all, let’s create the directory structure we’ll need for Traefik (line 1). We’ll also be creating a file that will be used for storing SSL certificates (line 2), and setting permissions on it (line 3).

Create Traefik Configuration

Create a new file in the traefik/data directory we just created called traefik.yml with the contents below.

Changes Required:

  • Line 24: Modify your email address

Define Traefik Container

Create a new file in the traefik/data directory called docker-compose.yml

Changes Required:

  • Line 30: Modify to fit the hostname of your server
  • Line 31: Add in credentials compatible with basic auth. You can use the output from the command below to achieve this.
    • echo $(htpasswd -nb [your user] [your pass]) | sed -e s/\$/\$\$/g
  • Line 35: Modify to fit the hostname of your server

Start Traefik Container

Create WebDAV Configuration

Before we begin, we need to create the directory structure for the WebDAV container. Use the following command to do so.

We’ll be using a container authored by bytemark for this project. It’s essentially just apache with the webdav module installed. As of today, the container is less than 100MB.

Define WebDAV Application Configuration

Changes Required:

  • Line 15: Username used to authenticate to the WebDAV service.
  • Line 16: Password you’ll use to authenticate to the WebDAV service. This is stored in plaintext in this example, but storing the variable in an external file is best practice.
  • Line 17: Modify to fit the hostname of your server
  • Line 27: Modify to fit the hostname of your server
  • Line 31: Modify to fit the hostname of your server

Start the WebDAV Container

Run the following command to bring up the webdav container

Bringing it all together

Summary

At this point you should have two containers running on your VPS. Traefik is acting as a reverse proxy for the WebDAV container, and is providing SSL encryption to it. The SSL certificate is provided by Let’s Encrypt.

Final Directory Structure

Migrate to Enpass Using WebDAV

Now that we’ve got a functional and secure WebDAV instance, we just need to migrate to it. These steps are pretty easy, but I want to include them to be comprehensive.

Export Secrets From Lastpass

To make our transition from Lastpass as seamless as possible, we’ll export our secrets so we can import them into Enpass. The easiest way to do this is from the Lastpass Vault.

Step 1 – Open Your Vault


Step 2 – Export Secrets

  1. Select “More Options”
  2. Select “Advanced”
  3. Select “Export”
  4. If prompted, enter your Master Password, and note where the CSV export file name and path.

Import Secrets To Enpass

Pretty easy stuff here, just open enpass, and kick off the import.

Import Steps:

  1. Open Enpass
  2. Select Menu
  3. Select File
  4. Select Import
  5. When prompted to “Select from where you want to import your data into Enpass”, select Lastpass
  6. Navigate to the directory you exported the CSV to
  7. Select continue to finish the import

Connect EnPass To WebDav Share

At this point you’ve got a functioning WebDAV service protected by SSL, as well as a local instance of Enpass that has your lastpass secrets. We just need to connect EnPass to your Webdav instance to allow us to sync to it. Once you have EnPass Installed, follow the steps below to connect it to your WebDAV Service.

Connection Steps:

  1. Open Enpass
  2. Select Settings
  3. Select Vaults
  4. Select the Vault you’d like to sync
  5. Enter the URL of your server, and ensure to include the https:// prefix
  6. Enter the username and password created in Section 2.2.1
  7. Ensure that the checkbox for “Bypass SSL Certificate Validation” is unchecked. We want to validate the SSL certificate since we are using Let’s Encrypt.

Risks

There are some things that LastPass does for us that we don’t get with this solution. In particular, we are somewhat exposed to brute force attempts to the webdav service. Also, LastPass has a number of email notifications that go out when things happen in your vault. We are really only notified when a new client joins the vault in Enpass.

Trafeik Resources

https://medium.com/@containeroo/traefik-2-0-docker-a-simple-step-by-step-guide-e0be0c17cfa5
https://containo.us/blog/traefik-2-0-docker-101-fc2893944b9d/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Copyright VirtJunkie.com © 2020