Sharing passwords via a chat tool is always more convenient than using other proper password manager tools. Some organizations don't even have password manager tools, leaving it up to the users to use their common sense.

Slack users just paste the plain text password in a private chat message or in a team conversation and either delete it later or forget about it. There's always a risk that passwords are not properly documented and left exposed in messages that can be viewed later by people joining channels or conversations temporarily, or accidentally shared in a chat export or screen sharing (which we have been doing a lot recently).

It would be ideal to bring the functionality of a password manager inside slack and let the users share and document their sensitive data in a more convenient way. This app aims to find a solution for this.

What it does

Create and share secrets (e.g. passwords, confidential text) to other Slack users in a private message or within channels.

  • /secret command to open a modal dialog which lets you create a new secret. Configure a title, the channel, authorized users, expiry of access, and whether this should expire after the first view.
  • /secret @user <secretMessage> Let's you create a secret instantly to one user within that conversation/channel.
  • /vault Lets you view non-expired secrets that you are authorized to view within this channel.
  • "Create a Secret" shortcut also shows the modal dialog to create a new secret.
  • After creating any secret, a secret would have two buttons.
    • Reveal Secret would show a popup to reveal the secret message.
    • Access Log would show a popup with all users who opened the secret and who got access or were denied.
  • You can also configure the default settings for expiry, title, and one-time view on the App Home page.

How I built it

I used Slack Bolt and interaction blocks to handle the different modal popups and views. I also used Slack commands, app home, and shortcuts to provide the best UX experience for the users.

In regards to security and how the app functions:

  • All secrets are encrypted using OpenPGP standard and are stored as encrypted values in the app's database (which is also encrypted at rest).
  • Every secret is encrypted with a random decode key.
  • The decode key is never stored in the app itself but stored as a value within the Reveal Secret block button that is sent in the conversation message by the app bot.
  • When a user reveals a secret, authorization is checked first before the decode key taken will be used to decode any secret
  • All secrets that have expired be automatically deleted by their time-to-live attribute in AWS DynamoDb.

Challenges I ran into

When the app posts a message to the Slack conversation using response_url, I was not getting the message_ts (message id) back so I can't identify the message where we stored the decode key. This is needed so that I can fetch those messages and quote them or list them again when the user types /vault command.

As a workaround, I had to use the conversations.history to filter through the recent bot messages and match them to the secrets that are still valid.

Accomplishments that I'm proud of

Building a slack app for the first time in quite a short time. I've always been interested in learning how to build an integration for Slack and I'm glad this hackathon motivated me to do it now :).

What's next for Secret Manager for Slack

  • Allow users to edit their secrets if they have not expired.
  • Use future Slack View Tables to store the encrypted secrets there instead of the app's database.
Share this project: