Building Sesto, in-browser password manager | Cossack Labs

🇺🇦 We stand with Ukraine, and we stand for Ukraine. We offer free assessment and mitigation services to improve Ukrainian companies security resilience.

List of blogposts

Building Sesto, in-browser password manager

Intro: what is Sesto

Sesto (abbreviation for Secret Store) is open source passwords (and general secrets) manager for web.

What sets Sesto apart from many other password managers is:

  • it's web password manager, e.g. you don't need local client to run it, only have compatible browser (Google Chrome with PNaCl modules enabled), the application is downloaded from Sesto server.

  • for a clientless web password manager, it's strong security model: most web password managers are built either on JS crypto (which is bad), or rely on simply protecting your data via SSL and with some arbitrary keys on server side. Sesto protects everything stored on server with client keys, and does not have any access to the data; moreover, Sesto performs all client-side decryption in a safe and secure manner.

Sesto was designed as one of proof of concept tools during the development of Themis and Toughbase, where we assess different techniques in implementing data manipulation schemes for sensitive data.

Sesto allows you to store your secrets in tree-like structure: 

Intro: what is Sesto

It works in your web browser, which downloads all code from the server, but is a compiled Google Chrome application, which sets it aside from weaker apps with JS encryption or transmitting data over plain HTTPS.

Sesto server is written in Python, Sesto front-end is combination of PNaCl module (C++) and JS/CSS/HTML interface. Sesto utilizes our Themis library and it's WebThemis port.

Enough of this! Just bring me the code! There's readme there, but to learn more about inner workings of Sesto, you might still want to read this post.




The server is built in Python. It solves 2 main tasks:

  • Serve clients PEXE + JS/HTML code in response to HTTP GET /

  • Talk to PNaCl application and work as it's backend via WebScokets


Client consists of 3 main parts:

  • JS/HTML front-end

  • PNaCl module containing

    • Sesto code

    • WebThemis as crypto library for Sesto

Security model


All client-server communication between running sesto app and server happens via websocket, over which we establish secure session with shared keys.

Each time server restarts, it regenerates keypair and shares public key with client via new HTML.

HTML part does not work with anything related to cryptography (here's why), all cryptographic transformations happen within PNaCl module, which then just uses JS to transmit strings to put into interface.


(see storage model below)

Sesto stores a tree of records, each record is either a folder or a file. Each file is encrypted with unique random 64-byte key, these keys are held in folders (parent nodes), this way only those having access to folder nodes are able to decrypt them and see the files.

Sesto sends to the client only selected nodes of the tree, thus minimizing potential leakage scope. All records are decrypted on client, and sequence of chunks necessary to reconstruct end-node's random password is unknown to Sesto itself since even to decrypt the root node (which lists all folders and files), Sesto needs user password, which user never sends.

Storage model

All data is stored in a tree of "folders and files" in SQLite database in two tables: data and users:

session to db scheme

data table contains pairs of id:data, where data is Secure Cell Seal Mode JSON container, encrypted by user's password for corresponding root_id. It can be either:

  • folder, containing list of files with their random passwords

  • file, encrypted with random password

1. Folder with links to other containers:

{ "type":"folder",
   "name": <name>,
   "desc": <description>
   "context": [<id>:<password>,

name and description are values for the interface. context carries list of id:password pairs, where each id is a link to id column value of some other object, whose data field is encrypted with password.

2. The file itself

                          "txt":<is text field>,
                          "sec":<is addition encrypted field>},

sec flag denoted whether the data field is additionaly encrypted by user password.

Installing and running


  • Your machine has to have Python3 and pip3 to use python part

  • You have to install libssl-dev


git clone
cd themis 
sudo make SECURE_COMPARATOR=enable install 
cd .. 
git clone 
cd sesto 
pip3 install -r requirements.txt 
python3 test_user test_pass 



or add -v to get into verbose mode.

Server will run on port 5103 of the machine you've launched it on.

Now just go do http://serveraddr:5103 and you should see a login screen.

Tweaking Sesto (for developers)

Sesto is open-source under Apache2 license and we'll be glad if someone tries to build something interesting and sophisticated on top of this simple PoC code.

Web part

Web part consists of PNaCl object doing all security stuff and JS/HTML part. They communicate via _client JS object.

Web part consists of Sesto code, which is in, which:

  • sets up WebSocket connection to server

  • establishes Secure Session connection over it

  • authenticates users via Secure Comparator

  • provides chunks of encrypted database to user on-demand by id.

...and WebThemis library itself with code in /webthemis/ folder.

To rebuild it after tweaking, you will need:

  1. themis installed with Secure Comparator enabled (see Installing section)

  2. NaCl SDK

  3. create environment variable PNACL_ROOT with path to installed SDK files.

Now, clone repository with all submodules and build WebThemis and Sesto:

git clone
cd sesto
git submodule update --init --recursive
cd webthemis
cd ..

You might want to refer to webthemis documentation for some additional details on how WebThemis works.

Server part is very simple Python Server, doing 4 things:

  1. Serving Sesto binaries and design to HTTP customers

  2. Establishing Secure Session over websockets

  3. Authenticating the user

  4. Giving the user object by id, and handling edit/update operations.

Good Luck!

And if you'd like to get in touch, drop us a line by any convenient method

Contact us

Get whitepaper

Apply for the position

Our team will review your resume and provide feedback
within 5 business days

Thank you!
We’ve received your request and will respond soon.
Your resume has been sent!
Our team will review your resume and provide feedback
within 5 business days