Use the LastPass Provisioning API

LastPass supports a public API that can be used by LastPass Enterprise accounts to create users, de-provision users, and manage groups. This automated provisioning API is very powerful, but does require integration on your part to avoid duplicate actions. Since LastPass offers a few different automated provisioning options, you can learn more about which option is right for you.

Note: The LastPass Provisioning API does not support managing groups for pre-configured SSO (Cloud) apps in the SSO & MFA Admin Console.

Add a user

The first step is adding the user. You must first choose the number of PBKDF2 iterations you plan to use. LastPass currently uses 100,100 rounds as a default for balancing between security and performance.

Once you have the username, password, and iterations you plan to use, you can first calculate the user’s encryption key. It is generated using PBKDF2-HMAC-SHA256, using the username as the salt. Here is an example using the OpenSSL PKCS5_PBKDF2_HMAC() function (please note that the username and password should be UTF-8 encoded):

const unsigned char *username = “”;

const char *password = “T5O89kkUMGYT”;

int iterations = 5000;

unsigned char key[32];

PKCS5_PBKDF2_HMAC(password, strlen(password), username, strlen(username), iterations, EVP_sha256(), 32, key);

If this function call succeeds, the user’s encryption key will be present in the variable “key”.

Now that you have the user’s encryption key, you can use it to generate the user’s password hash. This is the hash that’s passed to the adduser API as parameter passwordhash. Here is an example, continuing from the above:

unsigned char hash[32];

PKCS5_PBKDF2_HMAC(key, 32, password, strlen(password), 1, EVP_sha256(), 32, hash);

If this function call succeeds, the user’s password hash will be present in the variable “hash”. Please note that you should hex-encode the hash before passing it to LastPass. Thus, passwordhash should always be 64 hexadecimal characters.

Generate RSA Keys

In order to immediately add the user to shared folders, you will also have to pass rsapublickey and rsaprivatekeyenc to the adduser command.

  1. Generate an RSA public/private key pair. This key must be 2048 bits.
  2. Encode the public key in ASN.1 DER format, then hex-encode it (this is the value for rsapublickey that will be passed to LastPass). You can view an example of a valid rsapublickey here.
  3. Encode the private key in ASN.1 DER format, then hex-encode it (this is the value for rsaprivatekey that you will have to encrypt with the user’s encryption key before passing it to LastPass). You can view an example of a valid rsaprivatekey here.
  4. Encrypt the rsaprivatekey using the user’s encryption key:
    1. Prepend “LastPassPrivateKey<” and append “>LastPassPrivateKey” to the rsaprivatekey.
    2. Encrypt via AES-CBC, using the first 16 characters of the user’s encryption key as the IV. Pad via PKCS#7. Hex-encode the result to create rsaprivatekeyenc (which can then be passed to LastPass).
  5. Once you have the passwordhash, rsapublickey, and rsaprivatekeyenc, you should be able to perform an adduser API call.

Add a user to a shared folder

Now that you have created a user with valid RSA keys, you will be able to use the addusertosharedfolder API to add them to a shared folder.

  1. Retrieve the ID and encryption key for the shared folder to which you would like to add the user. You can view these values for the shared folders to which you are assigned.
  2. Next, you must encrypt the shared folder’s encryption key with the user’s RSA public key, first padding with OAEP. Hex-encode the result, which should end up being 512 hexadecimal bytes since you’re using a 2048-bit RSA key. The result is what you should pass to LastPass as sharekey.
  3. Then, you must encrypt the shared folder’s name using the shared folder’s encryption key. Be sure to encrypt the full name, including the “Shared-” prefix. For example, if your shared folder is named “LP”, encrypt the string “Shared-LP”. Use AES-ECB for this step, pad via PKCS#7, and base64-encode the result. The result is what you should pass to LastPass as sharename.
  4. Once you have shareid, sharekey, and sharename, you should be able to perform an addusertosharedfolder API call.


Use Directory Integrations for Automated Provisioning

View and Manage LastPass Enterprise Shared Folders (Admins)

Advanced LastPass Admin Options