README
¶
Secure Production Identity for Key Encryption (SPIKE)
SPIKE is a lightweight secrets store that uses SPIFFE as its identity control plane.
SPIKE protects your secrets and helps your ops, SREs, and sysadmins
#sleepmore.
For more information, see the documentation.
The Elevator Pitch
SPIKE is a streamlined, highly reliable secrets store that leverages SPIFFE framework for strong, production-grade identity control.
Built with simplicity and high availability in mind, SPIKE empowers ops teams,
SREs, and sysadmins to protect sensitive data and #sleepmore by securing
secrets across distributed environments.
Key components include:
- SPIKE Nexus: The heart of SPIKE, handling secret encryption, decryption, and root key management.
- SPIKE Keeper: A redundancy mechanism that safely holds root keys in memory, enabling fast recovery if Nexus fails.
- SPIKE Pilot: A secure CLI interface, translating commands into mTLS API calls, reducing system vulnerability by containing all admin access.
- SPIKE Bootstrap: An initialization app to securely bootstrap the entire system and deliver root key shards to SPIKE Nexus.
With its minimal footprint and robust security, SPIKE provides peace of mind for your team and critical data resilience when it counts.
Project Maturity: Development 
SPIKE is a SPIFFE-affiliated project that has reached Development maturity as defined in the SPIFFE Project Lifecycle. This means:
- SPIKE is functionally stable and suitable for broader experimentation and community involvement.
- SPIKE is not yet production-ready, and certain features or interfaces may continue to evolve.
- Stability and polish are improving, but users should expect occasional bugs or breaking changes.
We invite developers and early adopters to explore, test, and contribute. Your input is invaluable in helping us shape a robust and reliable product.
Use in critical systems is not advised at this time. We'll announce when the project is ready for production adoption.
🦔 Thanks for your patience and support. We welcome your thoughts at 📬 team@spike.ist.
Getting Your Hands Dirty
Check out the quickstart guide to start playing with the project.
You can also read the documentation to learn more about SPIKE's architecture and design philosophy.
A Note on Security
We take SPIKE's security seriously. If you believe you have found a vulnerability, please responsibly disclose it to security@spike.ist.
See SECURITY.md for additional details.
Community
Open Source is better together.
If you are a security enthusiast, join SPIFFE's Slack Workspace and let us change the world together 🤘.
Links
- Homepage and Docs: https://spike.ist
- Community:
Folder Structure
Here are the important folders and files in this repository:
./app: Contains SPIKE components' source code:./app/nexus: SPIKE Nexus (secrets store)./app/keeper: SPIKE Keeper (root key redundancy)./app/spike: SPIKE Pilot (CLI)./app/bootstrap: SPIKE Bootstrap (initialization)./app/demo: Demo workloads for testing
./internal: Internal modules shared among SPIKE components../config: Configuration files to run SPIRE in development../docs-src: Documentation source files../docs: Generated documentation.
./hack: Scripts for building and testing../examples: Usage examples../makefiles: Makefiles for building and testing../ci: CI/CD configuration../dockerfiles: Container build files../assets: Images and other static assets.
Code Of Conduct
Contributing
To contribute to SPIKE, follow the contributing guidelines to get started.
Use GitHub issues to request features or file bugs.
Communications
License
Directories
¶
| Path | Synopsis |
|---|---|
|
bootstrap/cmd
command
|
|
|
bootstrap/internal/lifecycle
Package lifecycle manages the bootstrap lifecycle for SPIKE.
|
Package lifecycle manages the bootstrap lifecycle for SPIKE. |
|
bootstrap/internal/net
Package net provides network communication utilities for SPIKE Bootstrap.
|
Package net provides network communication utilities for SPIKE Bootstrap. |
|
bootstrap/internal/state
Package state manages the cryptographic state for SPIKE Bootstrap.
|
Package state manages the cryptographic state for SPIKE Bootstrap. |
|
demo/cmd
command
|
|
|
keeper/cmd
command
|
|
|
keeper/internal/net
Package net provides network server utilities for SPIKE Keeper.
|
Package net provides network server utilities for SPIKE Keeper. |
|
keeper/internal/route/base
Package base provides the core routing logic for the SPIKE application's HTTP server.
|
Package base provides the core routing logic for the SPIKE application's HTTP server. |
|
keeper/internal/route/store
Package store provides HTTP route handlers for SPIKE Keeper's shard management operations.
|
Package store provides HTTP route handlers for SPIKE Keeper's shard management operations. |
|
keeper/internal/state
Package state provides thread-safe utilities for securely managing and accessing a global shard value.
|
Package state provides thread-safe utilities for securely managing and accessing a global shard value. |
|
nexus/cmd
command
|
|
|
nexus/internal/initialization
Package initialization handles SPIKE Nexus startup based on the configured backend store type.
|
Package initialization handles SPIKE Nexus startup based on the configured backend store type. |
|
nexus/internal/initialization/recovery
Package recovery implements root key management and disaster recovery for SPIKE Nexus using Shamir's Secret Sharing scheme.
|
Package recovery implements root key management and disaster recovery for SPIKE Nexus using Shamir's Secret Sharing scheme. |
|
nexus/internal/net
Package net provides network server utilities for SPIKE Nexus.
|
Package net provides network server utilities for SPIKE Nexus. |
|
nexus/internal/route/acl/policy
Package policy provides HTTP route handlers for access control policy management in SPIKE Nexus.
|
Package policy provides HTTP route handlers for access control policy management in SPIKE Nexus. |
|
nexus/internal/route/base
Package base contains the fundamental building blocks and core functions for handling HTTP requests in the SPIKE Nexus application.
|
Package base contains the fundamental building blocks and core functions for handling HTTP requests in the SPIKE Nexus application. |
|
nexus/internal/route/bootstrap
Package bootstrap provides HTTP route handlers for SPIKE Bootstrap verification endpoints.
|
Package bootstrap provides HTTP route handlers for SPIKE Bootstrap verification endpoints. |
|
nexus/internal/route/cipher
Package cipher provides HTTP route handlers for encryption and decryption operations in SPIKE Nexus.
|
Package cipher provides HTTP route handlers for encryption and decryption operations in SPIKE Nexus. |
|
nexus/internal/route/operator
Package operator provides HTTP route handlers for SPIKE Nexus operator operations.
|
Package operator provides HTTP route handlers for SPIKE Nexus operator operations. |
|
nexus/internal/route/secret
Package secret provides HTTP route handlers for secret management operations in SPIKE Nexus.
|
Package secret provides HTTP route handlers for secret management operations in SPIKE Nexus. |
|
nexus/internal/state/backend
Package backend defines the storage interface for SPIKE Nexus.
|
Package backend defines the storage interface for SPIKE Nexus. |
|
nexus/internal/state/backend/lite
Package lite provides an encryption-only backend implementation for SPIKE Nexus.
|
Package lite provides an encryption-only backend implementation for SPIKE Nexus. |
|
nexus/internal/state/backend/memory
Package memory provides a fully functional in-memory storage backend for SPIKE Nexus.
|
Package memory provides a fully functional in-memory storage backend for SPIKE Nexus. |
|
nexus/internal/state/backend/noop
Package noop provides a no-operation storage backend for SPIKE Nexus.
|
Package noop provides a no-operation storage backend for SPIKE Nexus. |
|
nexus/internal/state/backend/sqlite
Package sqlite provides a persistent, encrypted SQLite storage backend for SPIKE Nexus.
|
Package sqlite provides a persistent, encrypted SQLite storage backend for SPIKE Nexus. |
|
nexus/internal/state/backend/sqlite/ddl
Package ddl contains SQL statements for the SQLite backend.
|
Package ddl contains SQL statements for the SQLite backend. |
|
nexus/internal/state/backend/sqlite/persist
Package persist provides the SQLite persistence layer implementation for SPIKE Nexus.
|
Package persist provides the SQLite persistence layer implementation for SPIKE Nexus. |
|
nexus/internal/state/base
Package base provides the high-level state management API for SPIKE Nexus.
|
Package base provides the high-level state management API for SPIKE Nexus. |
|
nexus/internal/state/persist
Package persist manages the global backend instance for SPIKE Nexus.
|
Package persist manages the global backend instance for SPIKE Nexus. |
|
spike/cmd
command
|
|
|
spike/internal/cmd
Package cmd provides the command-line interface for SPIKE Pilot, the CLI tool for interacting with SPIKE Nexus.
|
Package cmd provides the command-line interface for SPIKE Pilot, the CLI tool for interacting with SPIKE Nexus. |
|
spike/internal/cmd/cipher
Package cipher provides cryptographic operations for encrypting and decrypting data through SPIKE Nexus.
|
Package cipher provides cryptographic operations for encrypting and decrypting data through SPIKE Nexus. |
|
spike/internal/cmd/operator
Package operator provides CLI commands for SPIKE Nexus administrative operations.
|
Package operator provides CLI commands for SPIKE Nexus administrative operations. |
|
spike/internal/cmd/policy
Package policy implements SPIKE CLI commands for managing access control policies.
|
Package policy implements SPIKE CLI commands for managing access control policies. |
|
spike/internal/cmd/secret
Package secret implements SPIKE CLI commands for managing secrets.
|
Package secret implements SPIKE CLI commands for managing secrets. |
|
spike/internal/stdout
Package stdout provides utilities for printing formatted messages to standard output.
|
Package stdout provides utilities for printing formatted messages to standard output. |
|
spike/internal/trust
Package trust provides functions and utilities to manage and validate trust relationships using the SPIFFE standard.
|
Package trust provides functions and utilities to manage and validate trust relationships using the SPIFFE standard. |
|
ci
|
|
|
test
command
|
|
|
internal
|
|
|
auth
Package auth provides authentication utilities for SPIFFE-based operations in SPIKE.
|
Package auth provides authentication utilities for SPIFFE-based operations in SPIKE. |
|
config
Package config provides configuration-related functionalities for the SPIKE system, including version constants and directory management for storing encrypted backups and secrets securely.
|
Package config provides configuration-related functionalities for the SPIKE system, including version constants and directory management for storing encrypted backups and secrets securely. |
|
journal
Package journal provides audit logging for SPIKE components.
|
Package journal provides audit logging for SPIKE components. |
|
net
Package net provides HTTP utilities for SPIKE components.
|
Package net provides HTTP utilities for SPIKE components. |
|
out
Package out provides utility functions for application initialization output, including banner display and memory locking operations.
|
Package out provides utility functions for application initialization output, including banner display and memory locking operations. |
|
validation
Package validation provides runtime validation helpers for SPIKE components.
|
Package validation provides runtime validation helpers for SPIKE components. |
Click to show internal directories.
Click to hide internal directories.