Keyhouse is a skeleton of general-purpose Key Management System written in Rust.

Overview

Keyhouse

Keyhouse is a skeleton of general-purpose Key Management System. Keyhouse is not an off-the-shelf system, and it's not ready for production. It's a skeleton of KMS.

  • Keyhouse depends on Spire based zero trust infrastructure.
  • Keyhouse provides a control plane for users to manage their Customer Keys, and a data plane which responds to data key encoding/decoding requests for data encryption and decryption.
  • Keyhouse provides a "secret service" which stores a piece of data and responds to inqueries.
  • Keyhouse uses etcd for stage.

More info can be found in the CNCF Cloud Native Rust Day 2021 presentation pdf and video.

Keyhouse is only a Rust lib (not a bin). To implement a real KMS, you must implement the KeyhouseImpl trait:

pub trait KeyhouseImpl: Send + Sync + Clone + std::fmt::Debug {
    type MasterKeyProvider: MasterKeyProvider + 'static; // Master key provider
    type CustomerItem: CodingItem + 'static;             // Customer Key codec
    type IntermediateItem: CodingItem + 'static;         // Intermediate Key codec
    type ClientCoding: ClientCoding + 'static;           // Data Key codec
    type ControlPlaneAuth: ControlPlaneAuth + 'static;   // Control plane authentication/authorization
    type AlternateDataAuthToken: AlternateDataAuthToken + 'static; // Secondary token-based authentication
    type AlternateDataAuthProvider: AlternateDataAuthProvider<Self::AlternateDataAuthToken> + 'static;
    type KeyhouseExt: KeyhouseExt + 'static;             // Handy functions for regioning/logging/authorization
}

We will provide a reference implementation in the future to provide:

  • AES-256-GCM encryption for IntermediateKey/CustomerKey/DataKey/Secrets
  • Go/C++/Python/Java client SDKs
  • Sample setup of Spire based zero trust infrastructure and Keyhouse's integration

Documents

Project structure

.
├── Cargo.lock              # dependency lock file
├── Cargo.toml              # main Cargo.toml
├── Readme.md
├── build.rs                # project build script
├── certs                   # dummy certificate for testing
├── conf                    # dummy configurations
├── docs                    # open source documentation
├── examples                # sample server
├── proto                   # grpc proto definition
├── src                     # source code
├── test_etcd               # scripts to launch testing etcd service
├── tests                   # self-contained end-to-end roundtrip setup
└── vendor                  # vendored dependencies

Build

The default cargo build only builds the library.

Example server

cargo build --examples

The output binary is at ./target/debug/examples/server. This example does not contain real crypto primitives. It is intentional, as every user might have their own encryption standard.

fn encode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
    if !input.is_empty() {
        input[0] = input[0].wrapping_add(1);
    }
    input.reverse();
    Ok(input)
}

fn decode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
    input.reverse();
    if !input.is_empty() {
        input[0] = input[0].wrapping_sub(1);
    }
    Ok(input)
}

Testing

First, make sure you have this line in your /etc/hosts:

127.0.0.1 localtest.me

Then, start an etcd using ./test_etcd/local.sh and keep it running. Next, run

cargo test

Authors

and the fine folks at ByteDance

License

Apache 2.0

You might also like...
As part of the IOP Stack™ Morpheus is a toolset to have gatekeeper-free identity management and verifiable claims as a 2nd layer on top of a blockchain

Internet of People Internet of People (IoP) is a software project creating a decentralized software stack that provides the building blocks and tools

Rapid, reliable and robust template management

Rapid, reliable and robust template management

Tickets.rs - A Ticket Management Tool
Tickets.rs - A Ticket Management Tool

Tickets.rs - A Ticket Management Tool Tickets.rs is a Desktop application made with egui, that is used for managing and modifying Tickets (or Issues,

A terminal-based daily task management tool with minimal overhead
A terminal-based daily task management tool with minimal overhead

Arenta A terminal-based daily task management tool with minimal overhead. Demo Features Complete CRUD support of daily tasks with intuitive syntax Vis

Token management program (vesting and mining) implemented in Anchor
Token management program (vesting and mining) implemented in Anchor

Deep Dive into Anchor by Implementing Token Management Program Author: @ironaddicteddog, @emersonliuuu [Updated at 2022.5.21] You can find the full co

X25519 elliptic curve Diffie-Hellman key exchange in pure-Rust, using curve25519-dalek.
X25519 elliptic curve Diffie-Hellman key exchange in pure-Rust, using curve25519-dalek.

x25519-dalek A pure-Rust implementation of x25519 elliptic curve Diffie-Hellman key exchange, with curve operations provided by curve25519-dalek. This

Pure Rust implementations of the key-committing (and context-committing) AEADs

kc-aeads Pure Rust implementations of the key-committing (and context-committing) AEADs defined in Bellare and Hoang '22. Crash course on the paper: T

HD wallet BIP-32 related key derivation utilities.

HDWallet Docs HD wallet(BIP-32) key derivation utilities. This crate is build upon secp256k1 crate, this crate only provides BIP-32 related features,

An implementation of the OPAQUE password-authenticated key exchange protocol

The OPAQUE key exchange protocol OPAQUE is an asymmetric password-authenticated key exchange protocol. It allows a client to authenticate to a server

Comments
  • cargo audit give errors and warnings

    cargo audit give errors and warnings

    Run "cargo audit" gives following errors:

    Crate: brotli-sys Version: 0.3.2 Title: Integer overflow in the bundled Brotli C library Date: 2021-12-20 ID: RUSTSEC-2021-0131 URL: https://rustsec.org/advisories/RUSTSEC-2021-0131 Solution: No safe upgrade is available! Dependency tree: brotli-sys 0.3.2 └── brotli2 0.3.2 └── actix-http 3.0.0-beta.10 └── actix-web 4.0.0-beta.9 └── keyhouse 0.1.0

    Crate: chrono Version: 0.4.19 Title: Potential segfault in localtime_r invocations Date: 2020-11-10 ID: RUSTSEC-2020-0159 URL: https://rustsec.org/advisories/RUSTSEC-2020-0159 Solution: No safe upgrade is available! Dependency tree: chrono 0.4.19 ├── x509-parser 0.9.2 │ └── spire-workload 1.1.4 │ └── keyhouse 0.1.0 ├── simple_asn1 0.4.1 │ └── jsonwebtoken 7.2.0 │ └── spire-workload 1.1.4 ├── sentry-types 0.23.0 │ └── sentry-core 0.23.0 │ ├── sentry-panic 0.23.0 │ │ └── sentry 0.23.0 │ │ └── keyhouse 0.1.0 │ ├── sentry-contexts 0.23.0 │ │ └── sentry 0.23.0 │ ├── sentry-backtrace 0.23.0 │ │ ├── sentry-panic 0.23.0 │ │ └── sentry 0.23.0 │ └── sentry 0.23.0 └── sentry-core 0.23.0

    Crate: time Version: 0.1.43 Title: Potential segfault in the time crate Date: 2020-11-18 ID: RUSTSEC-2020-0071 URL: https://rustsec.org/advisories/RUSTSEC-2020-0071 Solution: Upgrade to >=0.2.23 Dependency tree: time 0.1.43

    Crate: net2 Version: 0.2.37 Warning: unmaintained Title: net2 crate has been deprecated; use socket2 instead Date: 2020-05-01 ID: RUSTSEC-2020-0016 URL: https://rustsec.org/advisories/RUSTSEC-2020-0016 Dependency tree: net2 0.2.37 ├── miow 0.2.2 └── mio 0.6.23

    Crate: stdweb Version: 0.4.20 Warning: unmaintained Title: stdweb is unmaintained Date: 2020-05-04 ID: RUSTSEC-2020-0056 URL: https://rustsec.org/advisories/RUSTSEC-2020-0056 Dependency tree: stdweb 0.4.20 └── time 0.2.27

    Crate: sha2 Version: 0.9.8 Warning: yanked Dependency tree: sha2 0.9.8 └── keyhouse 0.1.0

    opened by niczy 0
Multi Party Key Management System (KMS) for Secp256k1 Elliptic curve based digital signatures.

Key Management System (KMS) for curve Secp256k1 Multi Party Key Management System (KMS) for Secp256k1 Elliptic curve based digital signatures. Introdu

[ZenGo X] 61 Dec 28, 2022
Battery-included Solana/Anchor project skeleton.

Anchor Skeleton Battery-included Solana/Anchor project skeleton. Features Rust test only: All tests (integration, unit) are written in Rust, so the co

Weiyuan Wu 5 Feb 23, 2022
A suite of programs for Solana key management and security.

?? goki Goki is a suite of programs for Solana key management and security. It currently features: Goki Smart Wallet: A wallet loosely based on the Se

Goki Protocol 157 Dec 8, 2022
🧑‍✈ Version control and key management for Solana programs.

captain ??‍✈️ Version control and key management for Solana programs. Automatic versioning of program binaries based on Cargo Separation of deployer a

Saber 35 Mar 1, 2022
Project Masterpass is a deterministic databaseless key management algorithm, aimed to help those who cannot protect their encryption keys in storage

Project Masterpass (working title) Attention! This project is still under heavy development, and SHOULD NOT be used in practice, as the algorithms cou

Gyorgy Wang 2 Sep 11, 2022
A general solution for commonly used crypt in rust, collection of cryptography-related traits and algorithms.

Crypto-rs A general solution for commonly used crypt in rust, collection of cryptography-related traits and algorithms. This is a Rust implementation

houseme 4 Nov 28, 2022
RISC Zero is a zero-knowledge verifiable general computing platform based on zk-STARKs and the RISC-V microarchitecture.

RISC Zero WARNING: This software is still experimental, we do not recommend it for production use (see Security section). RISC Zero is a zero-knowledg

RISC Zero 653 Jan 3, 2023
MevWallet is a smart contract wallet that allows the user to capture MEV from Searchers, or create MEV on purpose.

MevWallet MevWallet is a smart contract wallet that allows the user to capture MEV from Searchers, or create MEV on purpose. This repo contains the so

Blunt Instruments 94 Jan 26, 2023
Ethereum key tool - Lightweight CLI tool to deal with ETH keys written in rust

ekt - Etherum Key Tool ekt is a lightweight tool to generate ethereum keys and addresses. Installation Either clone it and run it with cargo or instal

null 5 May 8, 2023
🔐 UPLINK is a Rust lightweight (2MB) tool for file transfer and remote management that uses AES-GCM and Envelope Encryption over WebSockets.

UPLINK ░▒▓█▓▒░░▒▓█▓▒░▒▓███████▓▒░░▒▓█▓▒░ ░▒▓█▓▒░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░ ░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█

Krystian Bajno 5 Sep 28, 2024