LastPass Enterprise Manual An easy to understand guide on how to use LastPass Enterprise.

LastPass Provisioning API

LastPass exposes a public API that can be used by enterprise accounts to create users, deprovision users, and manage groups.

For a full list of the API details and instructions, please go to the:  Enterprise Console > Setup > Create New Users > LastPass Provisioning API option.

If you would like to use the API to automatically add users to shared folders, you will need to perform encryption operations yourself. Thus, you will need to know some things about the underlying encryption operations LastPass uses. They will be documented below.

Adding a User

The first step is adding the user. You must first choose the number of PBKDF2 iterations you plan to use. LastPass currently recommends 5000 as a balance between security and performance.

Once you have the username, password, and iterations you plan to use, you can first calculate the user's encryption key. It is generated using PBKDF2-HMAC-SHA256, using the username as the salt. Here is an example using the OpenSSL PKCS5_PBKDF2_HMAC() function (please note that the username and password should be UTF-8 encoded):

const unsigned char *username = "user@lastpass.com";
const char *password = "T5O89kkUMGYT";
int iterations = 5000;
unsigned char key[32];
PKCS5_PBKDF2_HMAC(password, strlen(password), username, strlen(username), iterations, EVP_sha256(), 32, key);

If this function call succeeds, the user's encryption key will be present in the variable "key".

Now that you have the user's encryption key, you can use it to generate the user's password hash. This is the hash that's passed to the adduser API as parameter passwordhash. Here is an example, continuing from the above:

unsigned char hash[32];
PKCS5_PBKDF2_HMAC(key, 32, password, strlen(password), 1, EVP_sha256(), 32, hash);

If this function call succeeds, the user's password hash will be present in the variable "hash". Please note that you should hex-encode the hash before passing it to LastPass. Thus, passwordhash should always be 64 hexadecimal characters.

Generating RSA Keys

In order to immediately add the user to shared folders, you will also have to pass rsapublickey and rsaprivatekeyenc to the adduser command.

First, generate an RSA public/private key pair. This key must be 2048 bits.

Next, encode the public key in ASN.1 DER format. Then, hex-encode it. This is the value for rsapublickey that will be passed to LastPass. Click here to see an example of a valid rsapublickey.

Next, encode the private key in ASN.1 DER format. Then, hex-encode it. This is the value for rsaprivatekey that you will have to encrypt with the user's encryption key before passing it to LastPass. Click here to see an example of a valid rsaprivatekey.

Next, encrypt the rsaprivatekey using the user's encryption key. First, prepend "LastPassPrivateKey<" and append ">LastPassPrivateKey" to the rsaprivatekey. Then, encrypt via AES-CBC, using the first 16 characters of the user's encryption key as the IV. Pad via PKCS#7. Hex-encode the result to create rsaprivatekeyenc, which can then be passed to LastPass.

Once you have the passwordhash, rsapublickey, and rsaprivatekeyenc, you should be able to perform an adduser API call.

Adding a User to a Shared Folder

Now that you have created a user with valid RSA keys, you will be able to use the addusertosharedfolder API to add them to a shared folder.

First, retrieve the ID and encryption key for the shared folder you would like to add the user to. Click here to see these values for the shared folders you are in.

Next, you must encrypt the shared folder's encryption key with the user's RSA public key, first padding with OAEP. Hex-encode the result, which should end up being 512 hexadecimal bytes since you're using a 2048-bit RSA key. The result is what you should pass to LastPass as sharekey.

Next, you must encrypt the shared folder's name using the shared folder's encryption key. Be sure to encrypt the full name, including the "Shared-" prefix. For example, if your shared folder is named "LP", encrypt the string "Shared-LP". Use AES-ECB for this step, pad via PKCS#7, and base64-encode the result. The result is what you should pass to LastPass as sharename.

Once you have shareid, sharekey, and sharename, you should be able to perform an addusertosharedfolder API call.