Qvault Is an Open Source Tool to Manage Passwords and Crypto Keys

Copied URL with current time.
0:00 / 0:00
avatars/lane-wagner.jpg
Lane Wagner
https://qvault.io/

In this episode of Running in Production, Lane Wagner goes over how he built Qvault which is an open source password manager that specializes in cryptocurrency. It’s built with Electron and has a Serverless component that uses Golang. It’s all hosted on AWS.

If you were ever wondering how Serverless works in the context of building a native or web application this episode has you covered. Lane talks about how a bunch of different AWS services all come together to make it work. We also talk about a Serverless framework called Serverless!

Topics Include

  • 1:03 – Qvault is an Electron based password manager with a focus on cryptocurrency
  • 2:16 – The focus has been a secure desktop app but a browser extension is coming soon
  • 2:45 – Creating a secure browser extension without sharing your master key
  • 3:12 – It’s an open source app, so if you’re skeptical you can compile it yourself
  • 3:46 – Motivation for using Golang for the Serverless component
  • 5:00 – For personal projects learning something new (Serverless) is worthwhile
  • 5:48 – The TL;DR on what Serverless is and how it works
  • 6:49 – AWS API Gateway helps map Serverless functions to HTTP requests
  • 7:05 – Instead of 1 app with many routes, you have many individual functions
  • 7:50 – A Serverless framework called Serverless helps tie everything together
  • 8:33 – Tying in a Serverless function to a specific URL endpoint
  • 9:25 – Calling these URL endpoints from the Electron app is like any other REST API
  • 10:40 – What’s being executed within these Serverless functions?
  • 11:12 – When it comes to Bitcoin and cryptocurrencies, it’s all about privacy and security
  • 12:13 – Passwords are encrypted client side in the Electron app
  • 13:17 – Encrypted vault file gets saved client side and it’s optionally saved server side too
  • 14:01 – This data is stored inside of PostgreSQL using RDS within AWS
  • 14:20 – Electron app -> API endpoint -> Serverless function -> data gets written to Postgres
  • 14:49 – Using a managed database vs managing your own database
  • 15:28 – The developer / development experience for writing Serverless functions
  • 17:41 – When hacking on a new Serverless function, it just gets pushed to production
  • 18:37 – The 2 biggest Serverless wins are function isolation and scaling auto-magically
  • 18:56 – Serverless scales to the size of your wallet
  • 19:21 – But it also costs nothing if no one is using it
  • 20:02 – The turn around time for AWS to spin up an environment to run a Serverless function
  • 20:35 – Function warming helps keep spin up times to milliseconds
  • 21:44 – There are tricks to keep your functions warm to avoid a multi-second spin up time
  • 22:21 – For Qvault’s API, response times were never a problem partly due to using Golang
  • 22:53 – The Electron app is written in JavaScript using Vue
  • 23:28 – Electron is basically a browser bundled with a specific JavaScript app
  • 23:56 – Electron apps can be pretty bloated but it’s super convenient to develop with
  • 24:45 – On Arch someone made a package that tries to use what you have installed already
  • 25:43 – A recap of which AWS services are being used
  • 26:02 – Using Route 53 on AWS for DNS hosting saves a lot of headaches
  • 27:15 – Wait, how is CloudFront (Amazon’s CDN) being used on the back-end?
  • 28:24 – It’s not, but CloudFormation is (it’s so easy to mix up AWS service names!)
  • 28:33 – The TL;DR on what CloudFormation is, how it’s being used and why it’s useful
  • 29:29 – Serverless framework converts platform agnostic configs into platform specific configs
  • 30:03 – CloudFormation is especially handy for Serverless due to the number of endpoints
  • 30:44 – Every Serverless endpoint is being served over HTTPS with Amazon’s ACM SSL certs
  • 31:31 – There are no external software as a service dependencies besides what’s on AWS
  • 32:04 – For logging, error reporting and metrics it’s all AWS services
  • 32:36 – Getting logs from a Serverless function involves using CloudWatch and S3
  • 32:53 – One nice thing about Serverless is there’s no long running state
  • 33:45 – Strategies for dealing with database migrations with a Serverless set up
  • 34:53 – Dealing with long running migrations that surpass AWS Lambda’s 15 minute timeout
  • 36:41 – Lane is a big fan of CI / CD and the master branch always matching production
  • 37:13 – A CI pipeline is being used for the Electron app with Travis CI
  • 37:28 – The Electron app has an auto-update function to check for updates on demand
  • 38:09 – The Serverless side of things doesn’t change much and there is no CI pipeline
  • 38:42 – The turn around time is nearly instant for a new function version to take effect
  • 39:59 – The Serverless framework sets environment variables for secret / sensitive values
  • 41:01 – The work flow for changing a sensitive value to an existing Serverless function
  • 43:18 – Dealing with disasters and malicious users
  • 44:00 – Qvault hashes passwords before it’s sent to the server
  • 45:50 – Running all of this on AWS costs in between $20 and $30 / month
  • 46:36 – On AWS it’s easy to upgrade to a larger instance size but it’s hard to downgrade
  • 46:42 – The RDS instance is running on a t2.micro since the DB is very simple
  • 47:34 – Most of the app’s complexity is client side in the Electron app
  • 48:10 – There’s 53k+ lines of code but that includes the node_modules/ directory
  • 48:37 – The app itself has about 3-5k lines of code across ~40 files
  • 49:01 – The complexity being on the front-end is necessary due to security requirements
  • 49:32 – Lessons learned? Serverless couples your app logic to your provider, it’s not great
  • 50:48 – There’s a lot of DevOps complexity where you trade 1 ops problem for another
  • 51:25 – But Serverless is likely easier to set up than an entire Kubernetes cluster
  • 51:39 – That being said, Serverless is very cost effective for low traffic APIs
  • 52:12 – Lane would likely choose Serverless again for his specific use case
  • 52:29 – Another nice thing about Serverless is not having to worry about scaling up
  • 53:08 – Should you use Serverless for a traditional web application?
  • 53:46 – It really depends on what you care about, such as cost vs development speed
  • 54:16 – Serverless can get really expensive at larger scale (more so than regular hosting)
  • 55:39 – You can find Lane on Twitter at @wagslane and his app can be found at qvault.io
📄 References
⚙️ Tech Stack

Support the Show

This episode does not have a sponsor and this podcast is a labor of love. If you want to support the show, the best way to do it is to purchase one of my courses or suggest one to a friend.

  • Dive into Docker is a video course that takes you from not knowing what Docker is to being able to confidently use Docker and Docker Compose for your own apps. Long gone are the days of "but it works on my machine!". A bunch of follow along labs are included.
  • Build a SAAS App with Flask is a video course where we build a real world SAAS app that accepts payments, has a custom admin, includes high test coverage and goes over how to implement and apply 50+ common web app features. There's over 20+ hours of video.

Questions

Dec 09, 2019

✏️ Edit on GitHub