About

Seekrat.info, or just seekrat, is lightweight and simply service designed to facilitate the sharing of sensitive information with a very limited audience.

It is build and run by a cybersecurity professional based in the European Union.

The API, is hosted with a hosting company operated out of Germany. The servers running the seekrat infrastructure is located in Germany as well.

Observability data, such as logs and metrics are collected using the Grafana stack, hosted in a datacenter in Netherlands operated by Microsoft.

Traffic to seekrat is proxied through Cloudflare to protect the site and the API.

Security

Seekrat is a service build with security in mind.

The API, is served over HTTPS using up-to-date Transport Layer Security (TLS).

The secrets shared via seekrat is encrypted with a 256bit AES key in GCM mode (AES256-GCM). Encryption happens before any data is written to disk.

The encryption key used is derived from 2 sources:

  1. A 32 byte randomly generated key, referred to as the Server Key
  2. A 16 byte randomly generated key, referred to as the Client Key

The Server Key and the Client Key is combined and then run through scrypt to derive the 32 byte encryption key used to encrypt your data.

All bytes generated by seekrat is generated using GoLangs cryptographically secure random number generator from crypto/rand .

The nonce used for AES GCM is 12 randomly generated bytes. These are stored, along with the encrypted data and salt.

Scrypt

The Server Key and Client Key are combined using scrypt to derive a 32 byte key used for AES.

The salt used 8 randomly generated bytes. These are stored, along with the encrypted data and nonce.

The parameters used for scrypt are as follows:

  • N=32768
  • r=8
  • p=1

Server Key

The Server Key is the only key material that isn’t generated by the application that runs seekrat. It is generated on the infrastructure running seekrat using the command hexdump -vn32 -e'4/4 "%08X" 1 "\n"' /dev/urandom.

This key is provided to the application as part of its configuration. The application supports having several Server Keys, so as to allow for rotation of secrets without rendering data unreadable.

When rotating a Server Key, the new key is added to the application. New request to store data with Seekrat will use this new key to encrypt the data. New requests to retrieve data will first attempt to decrypt the data using the new Server Key. If decryption fails, the application will attempt to decrypt using the old Server Key. After at least 7 days, to ensure no data is retained the is encrypted using the old Server Key, the old Server Key is removed from the application.

The size of the Server Key is 32 byte.

Client Key

The Client Key is generated for every request that requests to store data with seekrat. The Client Key is not logged by seekrat and is returned to the client in the response sent back from seekrat.

Any request to retrieve data will have to include the Client Key - Without it, seekrat cannot decrypt the stored data to return it.

Requests to retrieve data with a wrong Client Key results in the same response from seekrat as if the data wasn’t present.

The size of the Client Key is 16 byte.

Cloudflare

As mentioned previously, Cloudflare is used in front of the site and API. Connections from Cloudflare and the seekrat services is encrypted. As such, traffic to seekrat is considered to be “end-to-end encrypted”.

One consequence of using Cloudflare is that traffic is terminated, decrypted, scanned, encrypted and forwarded to seekrat by Cloudflare. This means that technically Cloudflare is capable of seeing the data you send to seekrat.

Using Cloudflare is a conscious choice taken to protect the infrastructure running seekrat.

Should I trust you?

No, you should not. From mosts perspective, seekrat is run by random people on the Internet. It is claimed that seekrat is build and run by a cybersecurity professional based in the European Union, but who knows?

In an effort to alleviate some of the concerns of the most die-hard sceptics, seekrat has made publicly available the sourcecode of secretservice under an Open Source license. secretservice is the service handling the data you send to the /secrets API endpoint. It is responsible for encryption and the generation of key material. It can be used to host your own version of the seekrat API.

While Open Source code isn’t a guarantee that it is more secure, it does allow you to read it, run it and modify it if you should so choose.

You can find the code here.

Note that seekrat consists of other services, and there is no guarantee that any of them will be made available under an Open Source license. What is guaranteed however is that the part of seekrat that is responsible for handling unencrypted secrets will continue to be available under an Open Source license.

Seekrat

It’s called seekrat, because its… secret…

API documentation


Seekrat - because we all have secrets we need to share

By Mads R. Havmand, 2023-01-21