Keyhouse
Keyhouse is a skeleton of general-purpose Key Management System. Keyhouse is not an off-the-shelf system, and it's not ready for production. It's a skeleton of KMS.
- Keyhouse depends on Spire based zero trust infrastructure.
- Keyhouse provides a control plane for users to manage their Customer Keys, and a data plane which responds to data key encoding/decoding requests for data encryption and decryption.
- Keyhouse provides a "secret service" which stores a piece of data and responds to inqueries.
- Keyhouse uses etcd for stage.
More info can be found in the CNCF Cloud Native Rust Day 2021 presentation pdf and video.
Keyhouse is only a Rust lib (not a bin). To implement a real KMS, you must implement the KeyhouseImpl trait:
pub trait KeyhouseImpl: Send + Sync + Clone + std::fmt::Debug {
type MasterKeyProvider: MasterKeyProvider + 'static; // Master key provider
type CustomerItem: CodingItem + 'static; // Customer Key codec
type IntermediateItem: CodingItem + 'static; // Intermediate Key codec
type ClientCoding: ClientCoding + 'static; // Data Key codec
type ControlPlaneAuth: ControlPlaneAuth + 'static; // Control plane authentication/authorization
type AlternateDataAuthToken: AlternateDataAuthToken + 'static; // Secondary token-based authentication
type AlternateDataAuthProvider: AlternateDataAuthProvider<Self::AlternateDataAuthToken> + 'static;
type KeyhouseExt: KeyhouseExt + 'static; // Handy functions for regioning/logging/authorization
}
We will provide a reference implementation in the future to provide:
- AES-256-GCM encryption for IntermediateKey/CustomerKey/DataKey/Secrets
- Go/C++/Python/Java client SDKs
- Sample setup of Spire based zero trust infrastructure and Keyhouse's integration
Documents
- Keyhouse Encryption
- Keyhouse SPIFFE Integration
- Keyhouse Backend Storage
- Keyhouse Data Plane
- Keyhouse Control Plane
Project structure
.
├── Cargo.lock # dependency lock file
├── Cargo.toml # main Cargo.toml
├── Readme.md
├── build.rs # project build script
├── certs # dummy certificate for testing
├── conf # dummy configurations
├── docs # open source documentation
├── examples # sample server
├── proto # grpc proto definition
├── src # source code
├── test_etcd # scripts to launch testing etcd service
├── tests # self-contained end-to-end roundtrip setup
└── vendor # vendored dependencies
Build
The default cargo build only builds the library.
Example server
cargo build --examples
The output binary is at ./target/debug/examples/server. This example does not contain real crypto primitives. It is intentional, as every user might have their own encryption standard.
fn encode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
if !input.is_empty() {
input[0] = input[0].wrapping_add(1);
}
input.reverse();
Ok(input)
}
fn decode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
input.reverse();
if !input.is_empty() {
input[0] = input[0].wrapping_sub(1);
}
Ok(input)
}
Testing
First, make sure you have this line in your /etc/hosts:
127.0.0.1 localtest.me
Then, start an etcd using ./test_etcd/local.sh and keep it running. Next, run
cargo test
Authors
and the fine folks at ByteDance
License
Apache 2.0
13 Jan 14, 2023
4 Feb 25, 2023
31 Jun 13, 2023
252 Dec 26, 2022
2 Aug 10, 2022
23 Nov 27, 2022
178 Jan 9, 2023
10 Nov 3, 2022
82 Nov 10, 2022
5 Feb 23, 2022
157 Dec 8, 2022
35 Mar 1, 2022
2 Sep 11, 2022
4 Nov 28, 2022
653 Jan 3, 2023
94 Jan 26, 2023
5 May 8, 2023
9 Nov 4, 2022
14 Apr 16, 2022