key

package module
v0.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 11, 2019 License: AGPL-3.0 Imports: 24 Imported by: 0

README

This project is in early stage and under active development

Keys

Keys is a tool for managing and distributing secret keys at scale. In particular, it decouples a traditional key-management-system (KMS) - like AWS-KMS or Hashicorp Vault - from large-scale and high-performance applications.

Almost every large-scale system deals with sensitive information that must be protected from unauthorized access. Therefore, applications encrypt network traffic and data at rest. However, someone has to provide the encryption keys to those applications at some point in time. An on-prem or cloud KMS can distribute unique encryption keys to those applications and also allows tight control over which encryption key is accessed by whom at which point in time.

Getting Started

You need to setup Go first.
For your first steps you can start a (dev) server by:

  1. Clone the repo: git clone git@github.com:minio/keys.git && cd keys
  2. Create a TLS private key and certificate for the key server:
    • openssl ecparam -genkey -name prime256v1 | openssl ec -out server.key
    • openssl req -new -x509 -days 365 -key server.key -out server.cert -subj "/C=/ST=/L=/O=/CN=localhost"
  3. Create a new identity (named root):
    go run ./cmd/key tool identity new --key="./root.key" --cert="root.cert" root
  4. Switch to a new terminal window but stay in the same directory and start the server by: 
    go run ./cmd/key server \
   --mtls-auth=ignore \
   --tls-key="./server.key" \
   --tls-cert="./server.cert" \
   --root $(key tool identity of root.cert)
  5. Switch back to the previous terminal window and set:
    • export KEY_CLIENT_TLS_KEY_FILE=./root.key
    • export KEY_CLIENT_TLS_CERT_FILE=./root.cert
  6. Now, can you talk to the server and e.g. create a new master key (named my-key): key create my-key -k
  7. This key can now be used to derive unique encryption keys for your applications: key derive my-key -k 
    {
   plaintext : ...
   ciphertext: ...    
}
    The plaintext is a base64-encoded 256 bit key. The ciphertext is the plaintext key encrypted with the my-key at the server.
  8. Of course you can decrypt the ciphertext again by passing it to: key decrypt my-key -k <base64-ciphertext>

Note: You just started a key server with a non-permanent in-memory key store. Therefore, by restarting the server all keys created in between will be destroyed. For durable key stores take a look at the config file documentation

Documentation

Index

Constants

View Source 
const (
	ErrKeyNotFound errorType = "key does not exist"
	ErrKeyExists   errorType = "key does already exist"
	ErrStoreSealed errorType = "key store is sealed"
)

Variables

This section is empty.

Functions

func EnforcePolicies 

func EnforcePolicies(roles *Roles, f http.HandlerFunc) http.HandlerFunc

func HandleAssignIdentity 

func HandleAssignIdentity(roles *Roles) http.HandlerFunc

func HandleCreateKey 

func HandleCreateKey(store Store) http.HandlerFunc

func HandleDecryptKey 

func HandleDecryptKey(store Store) http.HandlerFunc

func HandleDeleteKey 

func HandleDeleteKey(store Store) http.HandlerFunc

func HandleDeletePolicy 

func HandleDeletePolicy(roles *Roles) http.HandlerFunc

func HandleForgetIdentity 

func HandleForgetIdentity(roles *Roles) http.HandlerFunc

func HandleGenerateKey 

func HandleGenerateKey(store Store) http.HandlerFunc

func HandleListIdentities 

func HandleListIdentities(roles *Roles) http.HandlerFunc

func HandleListPolicies 

func HandleListPolicies(roles *Roles) http.HandlerFunc

func HandleReadPolicy 

func HandleReadPolicy(roles *Roles) http.HandlerFunc

func HandleWritePolicy 

func HandleWritePolicy(roles *Roles) http.HandlerFunc

func LimitRequestBody 

func LimitRequestBody(n int64, f http.HandlerFunc) http.HandlerFunc

func NewError 

func NewError(status int, text string) error

NewError returns an error that formats as the given text.

It's guaranteed that the returned error has an additional 

Status() int

method that returns the given status code. Code that handles HTTP requests may type-check whether an error value provides this method by: 

if err, ok := err.(interface{ Status() int }); ok {
}

and set the status code of the response accordingly.

NewError should not be used to create internal errors, like when running out-of-entropy while reading from a PRNG.

Each call to NewError returns a distinct error value even if the status and text are identical.

func RequireMethod 

func RequireMethod(method string, f http.HandlerFunc) http.HandlerFunc

Types

type Client 

type Client struct {
	// contains filtered or unexported fields
}

func NewClient 

func NewClient(addr string, config *tls.Config) *Client

func (*Client) AssignIdentity 

func (c *Client) AssignIdentity(policy string, id Identity) error

func (*Client) CreateKey 

func (c *Client) CreateKey(name string, key []byte) error

func (*Client) DecryptDataKey 

func (c *Client) DecryptDataKey(name string, ciphertext, context []byte) ([]byte, error)

func (*Client) DeleteKey 

func (c *Client) DeleteKey(name string) error

func (*Client) DeletePolicy 

func (c *Client) DeletePolicy(name string) error

func (*Client) ForgetIdentity 

func (c *Client) ForgetIdentity(id Identity) error

func (*Client) GenerateDataKey 

func (c *Client) GenerateDataKey(name string, context []byte) ([]byte, []byte, error)

func (*Client) ListIdentities 

func (c *Client) ListIdentities(pattern string) (map[Identity]string, error)

func (*Client) ListPolicies 

func (c *Client) ListPolicies(pattern string) ([]string, error)

func (*Client) ReadPolicy 

func (c *Client) ReadPolicy(name string) (*Policy, error)

func (*Client) Transport 

func (c *Client) Transport(transport http.RoundTripper)

func (*Client) WritePolicy 

func (c *Client) WritePolicy(name string, policy *Policy) error

type Identity 

type Identity string

An Identity should uniquely identify a client and is computed from the X.509 certificate presented by the client during the TLS handshake using an IdentityFunc. 

const IdentityUnknown Identity = ""

IdentityUnknown is the identity returned by an IdentityFunc if it cannot map a particular X.509 certificate to an actual identity.

func Identify 

func Identify(req *http.Request, f IdentityFunc) Identity

Identify computes the idenitiy of the X.509 certificate presented by the peer who sent the request.

It returns IdentityUnknown if no TLS connection state is present, more than one certificate is present or when f returns IdentityUnknown.

func (Identity) IsUnknown 

func (id Identity) IsUnknown() bool

IsUnknown returns true if and only if the identity is IdentityUnknown.

func (Identity) String 

func (id Identity) String() string

String returns the string representation of the identity.

type IdentityFunc 

type IdentityFunc func(*x509.Certificate) Identity

IdentityFunc maps a X.509 certificate to an Identity. This mapping should be deterministic and unique in the sense that:

  1. The same certificate always gets mapped to same identity.
  2. There is only one (valid / non-expired) certificate that gets mapped to a particular (known) identity.

If no certificate is provided or an identity cannot be computed - e.g. because the certificate does not contain enough information - the IdentityFunc should return IdentityUnknown.

func HashPublicKey 

func HashPublicKey(hash crypto.Hash) IdentityFunc

HashPublicKey returns an IdentityFunc that computes an identity as the cryptographic hash of the certificate's public key.

If the hash function is not available it uses crypto.SHA256.

type Policy 

type Policy struct {
	// contains filtered or unexported fields
}

func NewPolicy 

func NewPolicy(patterns ...string) *Policy

func (Policy) MarshalJSON 

func (p Policy) MarshalJSON() ([]byte, error)

func (Policy) MarshalTOML 

func (p Policy) MarshalTOML() ([]byte, error)

func (*Policy) String 

func (p *Policy) String() string

func (*Policy) UnmarshalJSON 

func (p *Policy) UnmarshalJSON(b []byte) error

func (*Policy) UnmarshalTOML 

func (p *Policy) UnmarshalTOML(b []byte) error

func (*Policy) Verify 

func (p *Policy) Verify(r *http.Request) error

type Roles 

type Roles struct {
	Root     Identity
	Identify IdentityFunc
	// contains filtered or unexported fields
}

func (*Roles) Assign 

func (r *Roles) Assign(name string, id Identity) error

func (*Roles) Delete 

func (r *Roles) Delete(name string)

func (*Roles) Forget 

func (r *Roles) Forget(id Identity)

func (*Roles) Get 

func (r *Roles) Get(name string) (*Policy, bool)

func (*Roles) Identities 

func (r *Roles) Identities() map[Identity]string

func (*Roles) IsAssigned 

func (r *Roles) IsAssigned(id Identity) bool

func (*Roles) Policies 

func (r *Roles) Policies() (names []string)

func (*Roles) Set 

func (r *Roles) Set(name string, policy *Policy)

type Secret 

type Secret [32]byte

Secret is a 256 bit secret key. It can wrap and unwrap session or data keys.

func (Secret) Unwrap 

func (s Secret) Unwrap(ciphertext []byte, associatedData []byte) ([]byte, error)

Unwrap decrypts and verifies the ciphertext, verifies the associated data and, if successful, returns the resuting plaintext. It returns an error if ciphertext is malformed or not authentic.

func (Secret) Wrap 

func (s Secret) Wrap(plaintext, associatedData []byte) ([]byte, error)

Wrap encrypts and authenticates the plaintext, authenticates the associatedData and returns the resulting ciphertext.

It should be used to encrypt a session or data key provided as plaintext.

If the executing CPU provides AES hardware support, Wrap derives keys using AES and encrypts plaintexts using AES-GCM. Otherwise, Wrap derives keys using HChaCha20 and encrypts plaintexts using ChaCha20-Poly1305.

type Store 

type Store interface {
	Create(string, Secret) error

	Delete(string) error

	Get(string) (Secret, error)
}

Source Files

View all Source files

Directories

Path Synopsis
cmd
key
Package fs implements a secret key store that stores secret keys as files on the file system.
 Package fs implements a secret key store that stores secret keys as files on the file system.
internal
cache
Package cache implements an in-memory cache for secret keys.
 Package cache implements an in-memory cache for secret keys.
Package mem implements an in-memory secret key store.
 Package mem implements an in-memory secret key store.
Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.
 Package vault implements a secret key store that stores secret keys as key-value entries on the Hashicorp Vault K/V secret backend.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.