This helper program supports the E2EE configuration for the BlindFold Chrome Extension v1.0.2 by securely storing device keys in OS-native encrypted vaults:
- macOS: Keychain
- Linux: Secret Service API (GNOME Keyring / KDE Wallet)
- Windows: Credential Manager
Download the latest release from the Releases page.
- macOS:
dragpass-keeper-macos-x86_64.pkg(Intel)dragpass-keeper-macos-arm64.pkg(Apple Silicon)
- Linux:
dragpass-keeper-linux-x86_64.deb(x86_64/amd64)dragpass-keeper-linux-arm64.deb(ARM64)
- Windows:
dragpass-keeper.exe(x64 installer)
All release packages are signed with GPG for security. We strongly recommend verifying the integrity of downloaded files.
# Download and import the public key
curl https://raw.githubusercontent.com/personalconnect/dragpass-keeper/main/GPG_PUBLIC_KEY.asc | gpg --importOr import manually from GPG_KEYSPUBLIC_KEY.asc.
Key Fingerprint: 66DF 4017 8A5F 6F66 EAAF 318A 3FC4 1856 9192 8FDC
# For macOS (Intel)
gpg --verify dragpass-keeper-macos-x86_64.pkg.sig dragpass-keeper-macos-x86_64.pkg
# For macOS (Apple Silicon)
gpg --verify dragpass-keeper-macos-arm64.pkg.sig dragpass-keeper-macos-arm64.pkg
# For Linux (x86_64)
gpg --verify dragpass-keeper-linux-x86_64.deb.sig dragpass-keeper-linux-x86_64.deb
# For Linux (ARM64)
gpg --verify dragpass-keeper-linux-arm64.deb.sig dragpass-keeper-linux-arm64.deb
# For Windows
gpg --verify dragpass-keeper.exe.sig dragpass-keeper.exeYou should see output like:
gpg: Good signature from "JinHyeok Hong <vjinhyeokv@gmail.com>" [ultimate]
After installing the .pkg file, the following files are created:
/Library/Application Support/DragPass/dragpass-keeper- Main executable/Library/Application Support/Google/Chrome/NativeMessagingHosts/com.dragpass.keeper.json- Chrome Native Messaging manifest
Key Storage: macOS Keychain
After installing the .deb file, the following files are created:
/opt/dragpass/dragpass-keeper- Main executable/etc/opt/chrome/native-messaging-hosts/com.dragpass.keeper.json- Chrome manifest/etc/chromium/native-messaging-hosts/com.dragpass.keeper.json- Chromium manifest
Key Storage: Secret Service API (GNOME Keyring / KDE Wallet)
After running the .exe installer, the following files are created:
64-bit System:
C:\Program Files\DragPass\dragpass-keeper.exe- Main executablecom.dragpass.keeper.json- Chrome Native Messaging manifestunins000.exe- Uninstallerunins000.dat- Uninstaller data
32-bit System:
C:\Program Files (x86)\DragPass\dragpass-keeper.exe- Main executablecom.dragpass.keeper.json- Chrome Native Messaging manifestunins000.exe- Uninstallerunins000.dat- Uninstaller data
Key Storage: Windows Credential Manager
DragPass Keeper communicates with the Chrome extension via Native Messaging protocol. All messages use an envelope pattern for better type safety and extensibility.
Request (Envelope Pattern):
{
"action": "action_name",
"payload": {
// action-specific fields
}
}Success Response:
{
"success": true,
"data": {
// action-specific response data
}
}Error Response:
{
"success": false,
"error": "error message"
}Check if the DragPass Keeper is running and responsive.
Request:
{
"action": "ping"
}Response:
{
"success": true,
"data": {
"version": "0.0.6",
"hash": "binary_sha256_hash",
"path": "/path/to/dragpass-keeper"
}
}Stores the device encryption key in the OS keystore.
Request:
{
"action": "savedevicekey",
"payload": {
"key": "base64_encoded_device_key"
}
}Response:
{
"success": true
}Retrieves the stored device encryption key.
Request:
{
"action": "getdevicekey"
}Response:
{
"success": true,
"data": {
"key": "base64_encoded_device_key"
}
}Removes the device encryption key from the keystore.
Request:
{
"action": "deletedevicekey"
}Response:
{
"success": true
}Generates a new RSA-2048 keypair for the Helper. Requires server signature verification.
Request:
{
"action": "generatekeypair",
"payload": {
"challenge_token": "server_provided_challenge_token",
"signature": "base64_server_signature"
}
}Response:
{
"success": true,
"data": {
"publickey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
}
}Notes:
- Verifies the signature using the server's public key
- Deletes existing session code and keypair before generating new one
- Stores both private and public keys in the OS keystore
Retrieves the Helper's public key.
Request:
{
"action": "getpublickey"
}Response:
{
"success": true,
"data": {
"publickey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
}
}Retrieves the server's public key that is stored in the OS keystore.
Request:
{
"action": "getserverpubkey"
}Response:
{
"success": true,
"data": {
"publickey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
}
}Notes:
- The server public key is hardcoded in the binary and initialized on first run
- This key is used to verify signatures from the server
- Stored in OS-native keystore for retrieval
Promotes pending keypair to permanent storage and saves the session code. Used during both signup and login-on-another-device flows.
Request:
{
"action": "savesessioncode",
"payload": {
"encrypted_session_code": "base64_encrypted_session_code",
"signature": "base64_server_signature"
}
}Response:
{
"success": true,
"data": {
"session_code": "decrypted_session_code"
}
}Process:
- Verifies signature using server's public key
- Promotes pending keypair to permanent storage (if exists from signup)
- Signup flow: Pending keypair exists → Promoted ✅
- Login-on-another-device flow: No pending keypair → Skipped ✅
- Decrypts the session code using Helper's private key (RSA-OAEP with SHA-256)
- Stores the decrypted session code in the OS keystore
- Returns the decrypted session code
Notes:
- This action completes the two-phase commit for signup keypair lifecycle
- Safe for both signup and login-on-another-device flows
Retrieves the stored session code.
Request:
{
"action": "getsessioncode"
}Response:
{
"success": true,
"data": {
"session_code": "stored_session_code"
}
}Generates a keypair and signs the user alias. Used during signup. Uses pending storage to prevent orphaned keys if signup fails.
Request:
{
"action": "signalias",
"payload": {
"alias": "user_alias"
}
}Response:
{
"success": true,
"data": {
"signature": "base64_signature",
"publickey": "-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----"
}
}Process:
- Checks if device is already registered (keypair + session code exist)
- Generates a new RSA-2048 keypair
- Stores keypair in pending storage (not permanent yet)
- Signs the alias using the pending private key (RSA PKCS#1 v1.5 with SHA-256)
- Returns the signature and pending public key
Notes:
- Keypair is stored in pending storage and will be promoted to permanent storage by
savesessioncode - If signup fails (e.g., 409 Conflict), the pending keypair can be safely overwritten on retry
- This prevents orphaned keypairs in the OS keystore when signup fails
Signs the user alias with current timestamp. Used for login authentication.
Request:
{
"action": "signaliaswithtimestamp",
"payload": {
"alias": "user_alias"
}
}Response:
{
"success": true,
"data": {
"signature": "base64_signature",
"timestamp": 1234567890
}
}Process:
- Generates current Unix timestamp
- Creates payload:
"alias:timestamp" - Signs the payload using Helper's private key
- Returns the signature and timestamp
Verifies and signs a challenge token. Used for login verification.
Request:
{
"action": "signchallengetoken",
"payload": {
"challenge_token": "server_challenge_token",
"signature": "base64_server_signature"
}
}Response:
{
"success": true,
"data": {
"signature": "base64_helper_signature"
}
}Process:
- Verifies the server's signature on the challenge token using server's public key
- Signs the challenge token using Helper's private key
- Returns the Helper's signature
- RSA Key Size: 2048 bits
- Private Key Format: PKCS#8 PEM
- Public Key Format: PKIX PEM
- Signature Algorithm: RSA PKCS#1 v1.5 with SHA-256
- Encryption Algorithm: RSA-OAEP with SHA-256
- Hash Function: SHA-256
macOS Keychain:
Service: com.dragpass.keeper
Items:
- server_public_key (DragPassServerPublicKey)
- keeper_private_key (DragPassKeeperPrivateKey)
- keeper_public_key (DragPassKeeperPublicKey)
- pending_keeper_private_key (PendingDragPassKeeperPrivateKey) - Temporary during signup
- pending_keeper_public_key (PendingDragPassKeeperPublicKey) - Temporary during signup
- device_key (DeviceKey)
- session_code (SessionCode)
Linux Secret Service:
Collection: default keyring
Schema: com.dragpass.keeper
Items:
- server_public_key (DragPassServerPublicKey)
- keeper_private_key (DragPassKeeperPrivateKey)
- keeper_public_key (DragPassKeeperPublicKey)
- pending_keeper_private_key (PendingDragPassKeeperPrivateKey) - Temporary during signup
- pending_keeper_public_key (PendingDragPassKeeperPublicKey) - Temporary during signup
- device_key (DeviceKey)
- session_code (SessionCode)
Windows Credential Manager:
Target Prefix: com.dragpass.keeper
Credentials:
- server_public_key (DragPassServerPublicKey)
- keeper_private_key (DragPassKeeperPrivateKey)
- keeper_public_key (DragPassKeeperPublicKey)
- pending_keeper_private_key (PendingDragPassKeeperPrivateKey) - Temporary during signup
- pending_keeper_public_key (PendingDragPassKeeperPublicKey) - Temporary during signup
- device_key (DeviceKey)
- session_code (SessionCode)
Notes:
- Pending keys are automatically deleted after promotion to permanent storage
- Pending keys prevent orphaned keys when signup fails (e.g., 409 Conflict errors)