gfbank

package module
v0.0.0-...-9d34e63 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 5, 2024 License: Apache-2.0 Imports: 29 Imported by: 0

README

gfbank

This tool manages on-disk "vaults" of secrets that require n of m SSH RSA keys for decryption. This technique uses Shamir secret sharing via libgfshare.

When a vault is created, a secret file is encrypted with a new key, and then the key is n of m Shamir secret shared to keys that are themselves encrypted to the public ends of SSH RSA keys, and then all of this vault information is stored on disk.

To decrypt the vault, gfbank will start a network server which the other n-1 key holders can use their SSH private keys to connect to. Once n users are connected (including the server starter), the vault will be decrypted and the secret restored.

Key generation

Note that this tool requires RSA SSH keys. You can generate a usable key in the format this tool will understand by running:

ssh-keygen -t rsa -m pem -f output-key

Requirements

libgfshare-bin (for gfcombine/gfsplit)

Usage

Usage: gfbank [OPTIONS] COMMAND [arg...]

The Grand French Bank

Options:
      --dir        bank directory (default "./")
      --debug      debug logging
      --identity   private key identity (default "default")

Commands:
  pubkey           public key commands
  vault            vault commands

Run 'gfbank COMMAND --help' for more information on a command.

Usage: gfbank pubkey COMMAND [arg...]

public key commands

Commands:
  list         list all public keys
  revoke       revoke public key
  unrevoke     unrevoke public key
  import       import a public key

Run 'gfbank pubkey COMMAND --help' for more information on a command.

Usage: gfbank vault COMMAND [arg...]

vault commands

Commands:
  list         list vaults
  create       create vault
  open         open vault
  collude      collude to open vault
  audit        audit vaults

Run 'gfbank vault COMMAND --help' for more information on a command.

LICENSE

See LICENSE file for details.

Documentation

Index

Constants

View Source 
const DefaultIdentityName = "default"

Variables

View Source 
var (
	Error = errors.NewClass("error")
)

Functions

func CheckDeps 

func CheckDeps() error

func CombineBytes 

func CombineBytes(shares []Share) (data []byte, err error)

func CombineString 

func CombineString(shares []Share) (data string, err error)

func DecryptBytes 

func DecryptBytes(in, key, nonce []byte) (out []byte, err error)

func EncryptBytes 

func EncryptBytes(in []byte) (out, key, nonce []byte, err error)

func HostVaultOpen 

func HostVaultOpen(identity *Identity, vault *Vault, proxy ListenProxy,
	status OpenStatus) (data []byte, err error)

func JoinVaultOpen 

func JoinVaultOpen(identity *Identity, vault *Vault, host, host_keyid string,
	proxy DialProxy) (err error)

Types

type AuditStatus 

type AuditStatus int
const (
	VaultOK AuditStatus = iota
	VaultAtRisk
	VaultLost
)

type Bank 

type Bank struct {
	// contains filtered or unexported fields
}

func NewBank 

func NewBank(dir, identity string, proxy Proxy, fn PassphraseFunc) (
	b *Bank, err error)

func (*Bank) AuditAllVaults 

func (b *Bank) AuditAllVaults() ([]VaultAudit, error)

func (*Bank) AuditVaults 

func (b *Bank) AuditVaults(names []string) (audits []VaultAudit, err error)

func (*Bank) AuditVaultsWithKeyId 

func (b *Bank) AuditVaultsWithKeyId(keyid string) (audits []VaultAudit,
	err error)

func (*Bank) CreateVault 

func (b *Bank) CreateVault(src string, pubkeys []string, n, m int) (
	vault *Vault, err error)

func (*Bank) HostVaultOpen 

func (b *Bank) HostVaultOpen(name string, out string, status OpenStatus) (
	err error)

func (*Bank) ImportPublicKey 

func (b *Bank) ImportPublicKey(path string) (*PublicKey, error)

func (*Bank) JoinVaultOpen 

func (b *Bank) JoinVaultOpen(name, host, host_keyid string) (err error)

func (*Bank) ListVaults 

func (b *Bank) ListVaults() (names []string, err error)

func (*Bank) LoadPublicKeys 

func (b *Bank) LoadPublicKeys() (keys []PublicKey, err error)

func (*Bank) RevokePublicKey 

func (b *Bank) RevokePublicKey(name string) (*PublicKey, error)

func (*Bank) UnrevokePublicKey 

func (b *Bank) UnrevokePublicKey(name string) (*PublicKey, error)

type DialProxy 

type DialProxy interface {
	Dial(host string) (net.Conn, error)
}

type EncryptedShare 

type EncryptedShare struct {
	Identity string `json:"identity"`
	KeyId    string `json:"keyid"`
	Number   string `json:"number"`
	Data     string `json:"data"`
}

type Identities 

type Identities struct {
	// contains filtered or unexported fields
}

func NewIdentities 

func NewIdentities(dir string, fn PassphraseFunc) (*Identities, error)

func (*Identities) Load 

func (ids *Identities) Load(name string) (ident *Identity, err error)

type Identity 

type Identity struct {
	Name string
	Id   string
	Key  *rsa.PrivateKey
}

func LoadIdentity 

func LoadIdentity(path string, fn PassphraseFunc) (key *Identity, err error)

func (*Identity) DecryptShare 

func (id *Identity) DecryptShare(encrypted_share *EncryptedShare) (
	*Share, error)

type KeyIds 

type KeyIds struct {
	// contains filtered or unexported fields
}

func PublicKeyIds 

func PublicKeyIds(keys []PublicKey) *KeyIds

func (*KeyIds) Has 

func (k *KeyIds) Has(keyid string) bool

type ListenProxy 

type ListenProxy interface {
	Listen() (net.Listener, error)
}

type OpenStatus 

type OpenStatus interface {
	Started(host net.Addr, keyid string, identities []string)
	ShareReceived(who, number string, have, needed int)
	JoinFailed(err error)
}

type PassphraseFunc 

type PassphraseFunc func(name string) (passphrase string, err error)

type Proxy 

type Proxy interface {
	ListenProxy
	DialProxy
}

type PublicKey 

type PublicKey struct {
	Name string
	Id   string
	Key  *rsa.PublicKey
}

func LoadPublicKey 

func LoadPublicKey(path string) (*PublicKey, error)

func (*PublicKey) EncryptShare 

func (k *PublicKey) EncryptShare(share Share) (*EncryptedShare, error)

type PublicKeys 

type PublicKeys struct {
	// contains filtered or unexported fields
}

func NewPublicKeys 

func NewPublicKeys(dir string) (*PublicKeys, error)

func (*PublicKeys) Import 

func (ks *PublicKeys) Import(path string) (key *PublicKey, err error)

func (*PublicKeys) Load 

func (ks *PublicKeys) Load(name string) (key *PublicKey, err error)

func (*PublicKeys) LoadAll 

func (ks *PublicKeys) LoadAll() (out []PublicKey, err error)

func (*PublicKeys) LoadN 

func (ks *PublicKeys) LoadN(names []string) (out []PublicKey, err error)

func (*PublicKeys) Revoke 

func (ks *PublicKeys) Revoke(name string) (*PublicKey, error)

func (*PublicKeys) Unrevoke 

func (ks *PublicKeys) Unrevoke(name string) (*PublicKey, error)

type Share 

type Share struct {
	Number string
	Data   []byte
}

func SplitBytes 

func SplitBytes(data []byte, n, m int) (shares []Share, err error)

func SplitString 

func SplitString(data string, n, m int) (shares []Share, err error)

type ShareAudit 

type ShareAudit struct {
	Number   string
	Identity string
	KeyId    string
	Safe     bool
}

type Vault 

type Vault struct {
	Name   string           `json:"-"`
	Nonce  string           `json:"nonce"`
	Needed int              `json:"needed"`
	Shares []EncryptedShare `json:"shares"`
	Data   string           `json:"data"`
}

func CreateVault 

func CreateVault(name string, data []byte, pubkeys []PublicKey, n, m int) (
	vault *Vault, err error)

func LoadVault 

func LoadVault(path string) (vault *Vault, err error)

func (*Vault) Audit 

func (v *Vault) Audit(keyids *KeyIds) VaultAudit

func (*Vault) Identities 

func (v *Vault) Identities() (out []string)

func (*Vault) LookupKeyId 

func (v *Vault) LookupKeyId(keyid string) *EncryptedShare

func (*Vault) Open 

func (v *Vault) Open(key_shares []Share) ([]byte, error)

func (*Vault) Save 

func (v *Vault) Save(path string) (err error)

type VaultAudit 

type VaultAudit struct {
	Name   string
	Needed int
	Shares []ShareAudit
}

func (*VaultAudit) Safe 

func (va *VaultAudit) Safe() (n int)

func (*VaultAudit) Status 

func (va *VaultAudit) Status() AuditStatus

type Vaults 

type Vaults struct {
	// contains filtered or unexported fields
}

func NewVaults 

func NewVaults(dir string) (*Vaults, error)

func (*Vaults) Create 

func (vs *Vaults) Create(src string, pubkeys []PublicKey, n, m int) (
	*Vault, error)

func (*Vaults) List 

func (vs *Vaults) List() ([]string, error)

func (*Vaults) Load 

func (vs *Vaults) Load(name string) (vault *Vault, err error)

func (*Vaults) LoadAll 

func (vs *Vaults) LoadAll() (out []Vault, err error)

Source Files

View all Source files

Directories

Path Synopsis
bin

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.