Password-based Tink-tool

Googles tool Tinkey for managing Google Tink keys depends on remote key stores to securely store your keys. This tool uses passwords to protect and store the private keys directly on the user's own computer, and also a good example on how Tink can be used.

Tink, Googles cryptography library, makes it easy to work with encryption and digital signatures in your own project, but using their tool Tinkey to handle your keys securely is not so easy to use if you ask me. When I tried it I had to build the code myself, after downloading multiple other tools required by the build process, taking up multiple gigabytes together. Tinkey does even directly handle your keys and you need a remote key store for that.

Thats why I created this Tink tool. There is a ready-to-run .jar-file and it have only a few dependencies, it removes the need of a remote key store by using a password to encypt and store the private key on the user's own computer. The feature set is however limited to creating new keys and using the keys to create/verify digital signatures.

I am not a security expert but I belive the security level is high. When the user picks a password for their new key its hashed together with a salt and the first 256 bits of the hash is used to crete a temporary key that is used to encrypt the user's new private key (the public key will be saved unencrypted, its public). Only the encrypted key and the salt is saved, not the password or the hash. The private key can only be decrypted again if the user enters the correct password so it creates the same hash when combined with the salt as when the private key was created. If not, then a different hash is generated, resulting in a different temporary key and making the decryption fail. The weakest point is likely the user's choice for password...

Read more on the GitHub project page!