Sesam
Overview
Sesam is a JIRA plugin that offers a secure way of storing, managing and sharing passwords across teams.
You can easily use already in place JIRA groups to limit access on certain passwords.
Sesam also offers a way to store a users more private passwords.
Getting Started
Installation via Atlassian Marketplace
- Go to the Atlassian Marketplace page and search for "Sesam"
- Buy Sesam or use the free 30 day trial option
- The license key is automatically configured into the add-on configuration for free trial licenses. For purchased license keys, see Managing License Key.
Installation via JIRA Plugin Manager
You can also install Sesam through the Universal Plugin Manager. (https://confluence.atlassian.com/display/UPM/Installing+add-ons)
- Log into your JIRA instance as Administrator
- Go to Administration > Add-ons and search for "Sesam" at Find New Add-ons
- Buy Sesam or use the free 30 day trial option
- You can now navigate to Sesam via the link in the header
- The license key is automatically configured into the add-on configuration for free trial licenses. For purchased license keys, see Managing License Key.
License Activation
You can activate your license with the following steps:
- On your JIRA Administration, select Manage Add-Ons.
- Select Sesam from the list of addons. Details about the plugin will be shown.
- Click on "Buy Now" to get yourself a license
AES Key Length
The key length of 256 Bit is only available if Unlimited Strength Jurisdiction Policy is enabled, otherwise 128 Bit will be used by Sesam as a fallback.
If you want to enable Unlimited Strength Jurisdiction Policy follow these steps:
Java Unlimited Strength Policy
Oracle Java
Before Java 8 Update 151
For Java 8 Update 144 and earlier, you need to install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy files:
- Download the unlimited strength JCE policy files from here
- Extract the downloaded file
- Replace the existing policy JAR files in
$JAVA_HOME/jre/lib/security
with the extracted unlimited strength policy JAR files
Note: In case you later decide to revert to the original limited policy versions, first make a backup of the original JCE policy files (US_export_policy.jar and local_policy.jar) in
$JAVA_HOME/jre/lib/security
.
Java 8 Update 151 and higher
The Unlimited Strength Jurisdiction Policy is included but not used by default. To enable it, you need to edit the java.security
file in $JAVA_HOME/jre/lib/security
(for JDK) or $JAVA_HOME/lib/security
(for JRE). Uncomment (or include) the line:
crypto.policy=unlimited
Java 9
Should be enabled by default.
OpenJDK
Should be enabled by default.
Features
Master Password - Unlock Sesam
In order to access the passwords, a user needs to provide the Master Password. This password is used to decrypt the users protected passwords.
ATTENTION DO NOT FORGET YOUR MASTER PASSWORD.
In order to decrypt the stored password information, at least one Sesam user needs to be logged in. If there is no user remembering the Sesam password, encrypted password information may be lost permanently.
When Sesam is opened the first time, the user can set the Master Password.
ATTENTION We highly recommend to use a secure password, that is not used anywhere else. Keep in mind, this single password protects the whole password database.
Change master password
The master password can also be changed in the preferences.
Forgot Master Password
Sesam allows users to reset their master password.
Attention: There is a risk of losing personal private passwords when resetting the master password with this workflow.
Resetting your master password is easy, you can request a reset on the Sesam login screen by clicking the "Forgot password?" link.
An E-Mail will be sent to the address specified in your JIRA profile. Simply follow the link in the e-mail.
NOTE: The reset link in the e-mail is only valid for 30 minutes.
You will be guided to a site where you can enter a new master password.
Groups
A group can contain a number of passwords and subgroups.
Groups can be used to structure password information and to set the corresponding permissions.
For each group the following permission options can be set:
- Read
Grants the users just read access to the passwords in the group. - Write
Grants users the permission to add new passwords to the group and update existing passwords. - Administrator
Users with this permission will be able to update the permissions and delete the group and all its passwords. (Note: Only with this permission option the user will be able to invite other people to a existing group)
All of the above permission options can be set either with specific JIRA users or with JIRA groups that are most probably already in place in your JIRA instance.
Passwords
A password entry contains the following attributes:
- App name (required)
The name describing the password entry. - Account
The associated account name - Password (required)
The password itself. It can be generated via the UI.- Generation strategy
Password generation happens entirely on client-side using the browsers crypto preferably. At the moment it will generate 16 character passwords including- Uppercase letters
- lowercase letters
- Digits
- Special characters :
- +
- -
- .
- Generation strategy
- Tags
Categories (like "Social Media" or "Accounting") that can be used for filtering. - Mail
The associated email address - URL
The URL for the app the password is used for. - Password Description
Generic description field, to add additional information.
My Passwords
In contrast to the shared groups, the private space called "My Passwords" can not be shared with others and is designed to contain the personal passwords.
Those passwords are encrypted in a different way then the shared passwords and will also not be part of any export. Therefore, nobody (not even administrators) have access to this information.
NOTE: Since there is no way to access those passwords, but by entering the corresponding master password, they can NOT be recovered, if the master password is lost.
Time-Bomb Share
In order to share a password with a third party (someone who has no access to your JIRA instance) Sesam provides a external share feature.
A link can be generated, that will reveal the corresponding password for a defined time period and optional also only for a defined number of times.
NOTE: This feature offers a more secure and better controllable way to share passwords over insecure channels (like email or chat) than directly sending in plain text, however, we highly recommend to update the password every time it was shared with third parties.
Link Passwords to JIRA Issues
Sesam provides the ability to link a password within a JIRA issue.
This can simply be done by opening the issue, then clicking the menu entry "More" - "Link". In addition to the default tabs, there is now an additional Sesam tab. After selecting the tab, the password search field can be used to search a password within Sesam.
NOTE: You can only link passwords for which you have at least Read permissions.
Simply select the password in the search and click on "Link" to finish linking the password to the issue. Of course, multiple passwords can be selected and linked to the issue.
Linked Sesam passwords are displayed in the "Issue Links" section. Clicking on the password link directly forwards to the Sesam password detail view, where the password can directly be copied to the clipboard.
Admin - Maintenance
JIRA-Administrators have access to the "Administration" tab on in the preferences.
Manage Groups
A list of all top-level groups in the company space. Admins can edit or delete any company container via this user interface.
NOTE: Private groups and passwords of other users cannot be maintained by JIRA-Administrators
Create Backups
JIRA Admins have access to the Backup & Restore feature. A Backup of all shared groups can be created on demand, including subgroups, passwords and associated data (e.g. tags).
We currently support following file formats for backups:
- JSON
- XML
We save the encrypted backups in the database, so we are able to restore any previously made backup on demand (see Restore Backups). Backups can also be downloaded by JIRA Administrators.
ATTENTION Downloaded Backups are in plain text, therefore, they need to be stored and handled with caution outside of Sesam.
Backup creation workflow
Restore Backups
Restoring a backup allows JIRA administrators to restore a previously backed up state of Sesam.
NOTE: Prior to any restore a backup of the current state will be automatically created, therefore, the restore can be rolled back.
Restore backups directly from the database
Backups can be restored directly from the entry in the backups table.
Restore exported backups
Downloaded/exported backups are restored by uploading the backup file.
If you check the option "preserve associated password date" Sesam tries to preserve favorite passwords and the recent passwords for all users.