A small USB device with a black case and translucent button

OSHWA UID US002683

Signet is an open hardware USB password manager that uses free and open source software. Signet is fully encrypted, requiring your device password to be unlocked. It also adds physical security to your passwords by requiring a the device's button to be pressed in order to get any secret data. It then acts as a USB keyboard to type your data when you need it.

In a hurry? See the FAQ below.

This project is certified open source hardware by the Open Source Hardware Association.

It works while you are offline as well as online, and can be unplugged when you're not using it. Signet is not limited to passwords, it can also store other small pieces of information such as credit card information, account numbers, or anything else you want to store in a place with extra security.

The Signet application is unlocked and shows a list of accounts that the user can choose to log into using the Signet hardware

When accessing the Signet via the client, it looks much like a traditional password manager, but behind the scenes, all the secrets are encrypted and stored on the Signet device.

Signet hardware can be purchased from my store using Bitcoin. This is my preferred payment on account of the inflation in the US combined with the fact that both payment processors and marketplaces each take significant fees. As such, it's also the cheapest option for you.

Hardware is also available for purchase on Artisans.coop. The Artisans marketplace accepts credit cards and some of the fees go to the Artisans Cooperative, which is a fiercely independent group of people!

Frequently Asked Questions (FAQ)

Q: How is it different from Yubikey, Google Titan, and the others?
A: Signet stores passwords, while these other devices do not (or if they do, the only store a very small number passwords). Signet is also open source hardware and software, has a minimal attack surface, and is generally less expensive and more stable than even the commercial offerings. On the flip side, Signet does not act as a signing device (e.g. FIDO2/Passkey). So the different devices serve different purposes. When you can use a signing device instead of a password, you should probably do so, however there are tons of places where signing keys won't do, and you really need a password. The closest alternative would be the NitroKey, which is also completely open source and can act as a signing device. However NitroKey can only store 16 passwords whereas Signet can handle hundreds.

Q: Is Signet compatible with Qubes?
A: Yes. However, there is currently a bug in Qubes which causes the device incorrectly be attached to a qube the first time. To work around this, you can either attach/detach/attach it each time you plug in the device, or run qvm-service --enable sys-usb usb-reset-on-attach in dom0 to effectively do this automatically.

Q: What cryptographic algorithms does Signet use?
A: All data is stored encrypted at rest (AES-256 in CBC mode). The key to unlock the device is derived from your device password using scrypt. For those not familiar, "scrypt is maximally hard against brute force attacks." Importantly, no secrets are stored unencrypted on the device, thus there's no need to rely on any type of secure element to keep your data safe. This is by design. The lone exception to this are the four "password slots" which should not be used except in rare circumstances. This feature is documented here.

Q: What's the deal with short button presses versus long presses?
A: A short button press will only allow access to a single password entry. A long button press will allow access to multiple entries for operations such as wiping a device, backing it up or restoring from a backup. This ensures that if you use a compromised computer and it tries to request a backup when you think it's requesting a single entry, you are able to tell the difference. Your short press will not be sufficient and you will be alerted that something is wrong.

Q: Why aren't updates being pushed out every week?
A: This is a philosophical difference of opinion. We feel that software should be stable and not require constant updates (which hopefully fix old bugs and possibly introduce new ones). When there is a bug in our code, we will fix it. However, we have no intention of bolting on tons of extra features. That's something proprietary products do to pad out their marketing and it's exactly why they have so many vulnerabilities which require critical updates all the time.

Q: Can Signet generate TOTP codes for 2FA?
A: Currently, no. This is something that may be added in the future, despite our desire to keep things as simple and stable as possible (see answer above).

Q: Does is work on Android?
A: Yes and no. There is an APK which works fine if you can install it. Sadly the latest version of Android refuses to let it install and we are currently looking for help with the Android build.

Project History

The original development was done by Nth Dimension in 2017 as a crowd funded project on Crowdsupply.

Since then it has been revived by Adam at Hax0rbana, who is the current developer/maintiner of the hardware, software and firmware as well as the primary producer of the hardware.