Some time ago my colleague, who is our internal security officer, asked me how much effort it would take to develop a SharePoint web part to encrypt certain data so that it is not in plain text. I replied that a "simple webpart" can be implemented very quickly, with little effort. He had only asked me this out of interest, but nevertheless, the idea of a simple password vault webpart was born (of course, I asked my colleague if I could develop a webpart and then publish it).

I have seen sensitive data such as user name and password in plain text in many intranets. Why should one worry about such things on an intranet? After all, it can only be seen by the staff, can't it?

But something like that is still not secure if it is in plain text. Let's say I'm in a team meeting (which is even being recorded) and I am sharing my screen and I visit the page that contains the login data. And the data could be "stolen". This is just one example of many.

I then had the idea of developing a webpart where you can set a master password to encrypt the user name and password. And only after entering this master password, the entered data should be decrypted and displayed in plain text. A typical password vault such as Dashlane, KeyPass or Bitwarden. Only somewhat simplified and only for one user name and password. To be able to enter further information/notes, I have added a text field (Rich text editor), which is also encrypted. This could be used, for example, to store several user data.

The webpart should contain the following features:

• If you have not yet set a master password (webpart newly added). The vault does not have to be unlocked. The master password has to be set first.

• If a master password has already been set, the vault must first be unlocked to view or adjust the data.

• The data must also be stored encrypted in SharePoint. This means that the data must not be visible in SharePoint maintenance mode.

• The encrypted values can only be decrypted with the master password.

• The user name and password can be copied to the clipboard with one click.

• The password is in a password field and is therefore not displayed unless it is actively displayed by the user.

• The vault can be closed manually or will be closed automatically after 5 minutes after the page has been refreshed.

Now it was time for the implementation. For encryption and decryption, I decided to use the JavaScript library crypto-js, which I already know and which is loved by many. The master password is hashed (and salted) with SHA256. The other data is logically not hashed, but encrypted and decrypted with the Advanced Encryption Standard (AES). A combination of a key defined by me + master password is used as the key value for encryption and decryption.

Result

Display Mode

If the vault is closed, the user has to enter the master password (does not matter if in display or edit mode)

After the user has entered the correct master password, he/she can view the stored data. The password is not visible in plain text unless the "show password" icon has been clicked on

Edit Mode

In page edit mode, it is possible to update the master password or change the data.

And yes, if you lose the master password, all data cannot be recovered. Not even by the administrator.

Maintenance Mode

And to prove that the data is encrypted and is not displayed in maintenance mode, here is an example of the data stored in the webpart.

Source and Download

You can find the source code in my GitHub repository. If you want to test/use the web part you can find the SharePoint package file here.

I would appreciate your feedback. You can leave a comment here in the post or use my GitHub repository for it.

Update March 13, 2023

I have updated the solution and added new features. See here