Sesam

Overview

Sesam is a JIRA plugin that offers a secure way of storing, managing and sharing passwords across teams.
You can easily use already in place JIRA groups to limit access on certain passwords. 
Sesam also offers a way to store a users more private passwords.

Getting Started

Installation via Atlassian Marketplace 

  1. Go to the Atlassian Marketplace page and search for "Sesam"
  2. Buy Sesam or use the free 30 day trial option
  3. The license key is automatically configured into the add-on configuration for free trial licenses. For purchased license keys, see Managing License Key.

Installation via JIRA Plugin Manager 

You can also install Sesam through the Universal Plugin Manager. (https://confluence.atlassian.com/display/UPM/Installing+add-ons)

  1. Log into your JIRA instance as Administrator
  2. Go to Administration > Add-ons and search for "Sesam" at Find New Add-ons
  3. Buy Sesam or use the free 30 day trial option
  4. You can now navigate to Sesam via the link in the header
  5. The license key is automatically configured into the add-on configuration for free trial licenses. For purchased license keys, see Managing License Key.

License Activation

You can activate your license with the following steps:

  1. On your JIRA Administration, select Manage Add-Ons. 
  2. Select Sesam from the list of addons. Details about the plugin will be shown. 
  3. Click on "Buy Now" to get yourself a license

AES Key Length

The key length of 256 Bit is only available if Unlimited Strength Jurisdiction Policy is enabled, otherwise 128 Bit will be used by Sesam as a fallback.

If you want to enable Unlimited Strength Jurisdiction Policy follow these steps:

Java Unlimited Strength Policy

Oracle Java

Before Java 8 Update 151

For Java 8 Update 144 and earlier, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files:

  1. Download the unlimited strength JCE policy files from here
  2. Extract the downloaded file
  3. Replace the existing policy JAR files in $JAVA_HOME/jre/lib/security with the extracted unlimited strength policy JAR files

Note: In case you later decide to revert to the original limited policy versions, first make a backup of the original JCE policy files (US_export_policy.jar and local_policy.jar) in $JAVA_HOME/jre/lib/security.

Java 8 Update 151 and higher

The Unlimited Strength Jurisdiction Policy is included but not used by default. To enable it, you need to edit the java.security file in $JAVA_HOME/jre/lib/security (for JDK) or $JAVA_HOME/lib/security (for JRE). Uncomment (or include) the line:

crypto.policy=unlimited
Java 9

Should be enabled by default.

OpenJDK

Should be enabled by default.

Features

Master Password - Unlock Sesam

In order to access the passwords, a user needs to provide the Master Password. This password is used to decrypt the users protected passwords.

ATTENTION DO NOT FORGET YOUR MASTER PASSWORD.

In order to decrypt the stored password information, at least one Sesam user needs to be logged in. If there is no user remembering the Sesam password, encrypted password information may be lost permanently.

 


When Sesam is opened the first time, the user can set the Master Password.


ATTENTION We highly recommend to use a secure password, that is not used anywhere else. Keep in mind, this single password protects the whole password database.

Change master password

The master password can also be changed in the preferences.

Forgot Master Password

Sesam allows users to reset their master password.

Attention: There is a risk of losing personal private passwords when resetting the master password with this workflow.


Resetting your master password is easy, you can request a reset on the Sesam login screen by clicking the "Forgot password?" link. 


An E-Mail will be sent to the address specified in your JIRA profile. Simply follow the link in the e-mail.

NOTE: The reset link in the e-mail is only valid for 30 minutes.

You will be guided to a site where you can enter a new master password.


Groups

A group can contain a number of passwords and subgroups.

Groups can be used to structure password information and to set the corresponding permissions.

For each group the following permission options can be set:

  • Read
    Grants the users just read access to the passwords in the group.
  • Write
    Grants users the permission to add new passwords to the group and update existing passwords.
  • Administrator
    Users with this permission will be able to update the permissions and delete the group and all its passwords. (Note: Only with this permission option the user will be able to invite other people to a existing group)

All of the above permission options can be set either with specific JIRA users or with JIRA groups that are most probably already in place in your JIRA instance.

Passwords


A password entry contains the following attributes:

  • App name (required)
    The name describing the password entry.
  • Account
    The associated account name
  • Password (required)
    The password itself. It can be generated via the UI.
    • Generation strategy
      Password generation happens entirely on client-side using the browsers crypto preferably. At the moment it will generate 16 character passwords including
      • Uppercase letters
      • lowercase letters
      • Digits 
      • Special characters : 
        • +
        • -
        • .
  • Tags
    Categories (like "Social Media" or "Accounting") that can be used for filtering.
  • Mail
    The associated email address
  • URL
    The URL for the app the password is used for.
  • Password Description
    Generic description field, to add additional information.

My Passwords

In contrast to the shared groups, the private space called "My Passwords" can not be shared with others and is designed to contain the personal passwords.

Those passwords are encrypted in a different way then the shared passwords and will also not be part of any export. Therefore, nobody (not even administrators) have access to this information.

NOTE: Since there is no way to access those passwords, but by entering the corresponding master password, they can NOT be recovered, if the master password is lost.

Time-Bomb Share

In order to share a password with a third party (someone who has no access to your JIRA instance) Sesam provides a external share feature.

A link can be generated, that will reveal the corresponding password for a defined time period and optional also only for a defined number of times.

NOTE: This feature offers a more secure and better controllable way to share passwords over insecure channels (like email or chat) than directly sending in plain text, however, we highly recommend to update the password every time it was shared with third parties. 

Link Passwords to JIRA Issues

Sesam provides the ability to link a password within a JIRA issue.

This can simply be done by opening the issue, then clicking the menu entry "More" - "Link". In addition to the default tabs, there is now an additional Sesam tab. After selecting the tab, the password search field can be used to search a password within Sesam.

NOTE: You can only link passwords for which you have at least Read permissions.

Simply select the password in the search and click on "Link" to finish linking the password to the issue. Of course, multiple passwords can be selected and linked to the issue.

Linked Sesam passwords are displayed in the "Issue Links" section. Clicking on the password link directly forwards to the Sesam password detail view, where the password can directly be copied to the clipboard.

Admin - Maintenance

JIRA-Administrators have access to the "Administration" tab on in the preferences. 

Manage Groups

A list of all top-level groups in the company space. Admins can edit or delete any company container via this user interface. 

NOTE: Private groups and passwords of other users cannot be maintained by JIRA-Administrators

Create Backups

 JIRA Admins have access to the Backup & Restore feature. A Backup of all shared groups can be created on demand, including subgroups, passwords and associated data (e.g. tags).

We currently support following file formats for backups: 

  • JSON
  • XML

We save the encrypted backups in the database, so we are able to restore any previously made backup on demand (see Restore Backups). Backups can also be downloaded by JIRA Administrators.

ATTENTION  Downloaded Backups are in plain text, therefore, they need to be stored and handled with caution outside of Sesam.

Backup creation workflow

Restore Backups

Restoring a backup allows JIRA administrators to restore a previously backed up state of Sesam.

NOTE: Prior to any restore a backup of the current state will be automatically created, therefore, the restore can be rolled back.

Restore backups directly from the database

Backups can be restored directly from the entry in the backups table. 

Restore exported backups

Downloaded/exported backups are restored by uploading the backup file.
If you check the option "preserve associated password date" Sesam tries to preserve favorite passwords and the recent passwords for all users.