TurtlPass Firmware provides a simple and secure way of generating passwords using a deterministic key derivation function (HKDF) as specified in RFC 5869.
- Generates unique, secure passwords from a simple input hash
- 100 characters long, including a combination of lowercase and uppercase letters, as well as numbers
- Seed material stored in flash memory for added security
- Automatically types the password for you, so you don't have to
- Erases the password from memory after use, for extra peace of mind
- Easy to integrate into your existing projects with USB serial port connectivity
- RP2040 Board: both Raspberry Pi Pico and Adafruit Trinkey QT2040 have been tested ✅
- USB OTG Cable / Adapter
- Cover/Case (optional)
ON- Operational (default)
PULSING- Password ready to type
BLINKING- Typing... (fast blink)
OFF- No power input
If your board have a RGB LED, is possible to switch seed by pressing the BOOTSEL button on the board (in the ON state only). Here are the 6 available colors:
- 🟢 Green (default)
- 🟡 Yellow
- 🔴 Red
- 🔵 Blue
- ⚪ White
- 🟣 Magenta
The Arduino IDE 1.8.19 can be downloaded from this link
1.8.X version is required beforehand to ensure device drivers are installed correctly but 2.X can be used once the following steps are completed
-
Open
File->Preferences->Settings -
Insert the following link into the Additional Boards Manager URLs:
https://github.com/earlephilhower/arduino-pico/releases/download/global/package_rp2040_index.json
-
Hit OK to close the dialog
Screenshot
-
Go to
Tools->Board->Boards Manager... -
Search for "pico"
-
Install the
Raspberry Pi Pico/RP 2040package
Screenshots
-
Go to
Tools->Board->Raspberry Pi RP2040 Boards(1.9.5) -
And select
Raspberry Pi Pico
Screenshot
-
Go to
Tools->Manage Libraries... -
Search for "arduinolibs crypto"
-
Install the
Cryptolibrary
Screenshots
-
Run the bash script
./generate_seed_file.shto generate a new seed fileSeed.cpp.<timestamp>on a computer with macOS or Linux. -
Rename the generated file to
Seed.cpp.
-
Open
turtlpass-firmware.inowith Arduino IDE on a computer.If the first time, select the appropriate Board and Serial Port in the Arduino menu
Tools. -
Connect the Raspberry Pico to a computer with a micro-USB to USB-C cable.
To upload your first sketch, you will need to hold the
BOOTSELbutton down while plugging in the Pico to a computer. -
Click in the
Uploadicon to upload the sketch to the Pico -
The sketch should be transferred and start to run.
Screenshots
-
Open the Serial Monitor console
Settings:
Newlineand115200baud rate -
Type, for example,
/0and send it -
You should get a response saying
OKand the LED should bePULSING -
Now press the button on Pico and the password should be typed (wherever the focus is on)
Screenshots
Having multiple devices with the same seed can serve as a backup, similar to having multiple copies of your house key. One device can be kept in a secure location while another one is for daily use.
Alternatively, you can store the seed file elsewhere, but it is best to let the device store the seed offline for added security.
It's important to remember that if someone has physical access to the device, they may be able to compromise it with enough time and effort. However, even if the device is compromised, it is still hard to recreate the password generated by TurtlPass without access to the hash result of the inputs, such as the PIN code, app/domain, and user account, used in the client app.
Raspberry Pi Pico
It is important to note that the firmware binary on the Raspberry Pi Pico RP2040 can be easily extracted using picotool due to its utilization of external ROM.
Example on how to do just that:
$ picotool save firmware.uf2
Saving file: [==============================] 100%
Wrote 369000 bytes to firmware.uf2
Secure Element (SE)
Using a secure element such as the ATECC608A/B or OPTIGA Trust X/M for password generation can be a secure solution due to its physical tamper-resistance and isolation from the rest of the system. However, there are limitations to consider such as the difficulty in using them across multiple devices or platforms, and lack of backup or recovery options in case of loss or damage. Additionally, it may be difficult to manage and control access to the password in situations where multiple users need to access it.
Other hardware options
I am continuously exploring and evaluating new hardware options for this project. As more information and resources become available, I will keep you updated on my progress.
- Raspberry Pi Pico Arduino core
- Port of the RP2040 (Raspberry Pi Pico processor) to the Arduino ecosystem.
- It uses the bare Raspberry Pi Pico SDK and a custom GCC 10.3/Newlib 4.0 toolchain.
- LGPL 2.1 license
- Arduino Cryptography Library
- Libraries to perform cryptography operations on Arduino devices
- MIT license
- Keyboard Library for Arduino
- Library allows an Arduino board with USB capabilities to act as a keyboard
- LGPL 3.0 license
TurtlPass Firmware is released under the GPL 3.0 license.