Hyperswitch Card Vault is an open-source sensitive information storage system built on Rust.

Overview

Tartarus - Rust Locker

Overview

The Hyperswitch Card Vault (Tartarus) is a highly performant and a secure vault to save sensitive data such as payment card details, bank account details etc.

It is designed in an polymorphic manner to handle and store any type of sensitive information making it highly scalable with extensive coverage of payment methods and processors.

Tartarus is built with a GDPR compliant personal identifiable information (PII) storage and secure encryption algorithms to be fully compliant with PCI DSS requirements.

Here's a quick guide to Get Started with setting up Tartarus.

How does Tartarus work?

  • Your application will communicate with Tartarus via a middleware.
  • All requests and responses to and from the middleware are signed and encrypted with the JWS and JWE algorithms.
  • The locker supports CRD APIs on the /data and /cards endpoints -
  • Cards are stored against the combination of merchant and customer identifiers.
  • Internal hashing checks are in place to avoid data duplication.

General Work Flow

Key Hierarchy

  • Master Key - AES generated key to that is encrypted/decrypted by the custodian keys to run the locker and associated configurations.
  • Custodian Keys - AES generated key that is used to encrypt and decrypt the master key. It broken into two keys (key 1 and key 2) and available with two custodians to enhance security.

Key Hierarchy

Setup Guide

Follow this guide to setup Tartarus - Get Started

Comments
  • feat(middleware): add a middleware to verfiy the communication between tenant and locker

    feat(middleware): add a middleware to verfiy the communication between tenant and locker

    This pr is to add the middleware that verifies the communication between locker and the tenant is JWS signed and JWE encrypte.

    -> I have tested it through postman image

    -> test case

    curl --location 'http://localhost:8080/data/add' \
    --header 'Content-Type: application/json' \
    --header 'Cookie: JSESSIONID.130f0e8f=node01ix1y16yw8z3v1m3nwkr4qbiwb6.node0' \
    --data 'eyJlbmMiOiJBMjU2R0NNIiwidHlwIjoiSldUIiwiYWxnIjoiUlNBLU9BRVAtMjU2In0.tIsj8UjaA5xAY_yytYrc94PZS4Ma3RWn5kZAG5lWZXbkwwmjvCoG-26m9DWnd5ZBMl97OiZNTi7-LVBCEyczRkqZ25vYhqvRhHr2WDuksGEIl1i9rui93tbMmf4UWeeVD3S_6lw5GQLc7jXyyWVzKS1J-hxZ2ZXBGiOlSoo0Ua8Njhh0DkzUq6tO5ttBbYqQf7vAhI-AaRu4W7dlC8LKNhZAmPNKn9diQ5Aae75M7606gvdVFlwXTTdWAERdA-7NyMMhJxpgt2bU7C4DZKGdEWEDKe89SqEzIC0dCJ2gLgOnqFHOuwKaCUVV6T10kuUdATqCH_r9CBuXdXgJadpGKQ.jjy9UvpqGuQ52pE1.xdIJWCVoSREhR1nA2bOnJXT3Pnm4P50Oe-WNOTwWDos0cS1b-45TdtFlnB9OZi-eNX7LixMh3cIV6bP2UJ3K5BDRUamcT55J95M5VQ5MBX9ywu47mE-e4VYRRB52VzRebND6tAGP4z8jWUIVYRr9375QFFJY4lt7jSn-7FWNeKVWyh9x8_vGMAjFIUIgbuvXO-OvPB-pNyRXESzBLkb_oODhxMRzJhr6uyzMOPG_sCGIvorPAWiFIsPMNgLacKD8J1McusaioGjP1a6IS3GW8QUiONgZC6JRUTypJTixehOpVZ5JFFgT-JDc_FEqSCLkDoiub2cD0rS3WeXYbpolKn4YbXV34NXSB3iSy04iaTi54IRXwzW7x7iEcF2BZsuI7GegbPktMIkTx5cZ7O6hASE9nQ2Finy0axzeeDVcySqe6M4Ox3s-u8Qo0XxZ_vXeWBotQ8EaN5rddGn_3q6PoBr6_71rO9dUzHLTWsxatAib2HU12lZNqJj2sRT0yd38qbr_M38kl5bV69X8G_zuxvB70PCB9t0Q925-ril8glG-IbFruo8DivrJqLVp_WAatlQV7SvHYy5E0tLofreU5g3SsyvKX5qQ4s_vev7i2cSEUKaBHjM42lnfMA-ZJJaoWXfmFKTKgCu00lo_kHaQX3i4BZhM4Et1-hVgKYgARS-CO5muWTkYGhHUvQ.NrNzu_vsH8s3DFo-4NPfGw'
    
    opened by ShankarSinghC 2
  • CI: add workflow for releasing new version with building and pushing image to dockerhub

    CI: add workflow for releasing new version with building and pushing image to dockerhub

    This PR adds 2 workflows

    • Release new version (Triggered manually): This workflow will create a new tag, generate changelog and release notes
    • Build and push docker image (Triggered manually, on pushing tags): This workflow will build a docker image and push it to docker hub
    opened by Chethan-rao 0
  • fix(error): rewrite the error framework with custom change contexts

    fix(error): rewrite the error framework with custom change contexts

    Description

    Introducing a new framework for handling error, this framework internally converts the error while maintaining the log trail, this reduces the need to manually perform change context while providing more details around how the error needs to be propograted

    design 
    opened by NishantJoshi00 0
  • feat(utils): add utils binary for key generation

    feat(utils): add utils binary for key generation

    Description

    Adding CLI tool to generate keys and any future external requirement of the locker.

    Currently supports

    • Generating master key
    • Generating key custodian keys
    opened by NishantJoshi00 0
  • [ENHANCEMENT] Implement Metrics framework to be used in the locker

    [ENHANCEMENT] Implement Metrics framework to be used in the locker

    Description

    Implement the metrics framework for the locker including the appropriate metrics required to track the health, liveliness and the usage of the locker

    opened by NishantJoshi00 0
  • [ENHANCEMENT] Add columns in database tables to mention the encryption and hashing algorithm used

    [ENHANCEMENT] Add columns in database tables to mention the encryption and hashing algorithm used

    Description

    The encryption algorithm used for any database related encryption is GcmAes256 and the hashing algorithm used is sha512. That being said, in future if we decided to change the hashing algorithm and or the encryption algorithm it would be difficult to maintain backwards compatibility. This can be mitigated by having an identifier of the encryption/hashing algorithm used along side the encrypted/hashed data.

    enhancement 
    opened by NishantJoshi00 0
  • [ENHANCEMENT] Improve the error propagation and define a standard structure to handle them

    [ENHANCEMENT] Improve the error propagation and define a standard structure to handle them

    Description

    Due to error-stack its easy to simply change the context and propagate errors without much effort, but this definitely reduces the quality of the error propagation as there is no strict standard that the errors need to adhere to. This issue addresses this discussing upon a more standardized way of handling error removing change_context from the code based promoting a more declarative way of error handling instead of the current imperative way.

    Possible Approaches

    • Wrap the current error into a custom defined struct, create a specific context for all the layers/APIs and then define TryFrom implementation for them, internally handling the change contexts
    enhancement 
    opened by NishantJoshi00 0
  • [ENHANCEMENT] Add Support for Metrics on the APIs and other necessary components to track

    [ENHANCEMENT] Add Support for Metrics on the APIs and other necessary components to track

    Description

    Add support for exporting program level metrics outside the application. The preferred framework for adding metrics includes opentelemetry or exporting prometheus metrics.

    Sub Issues

    • [ ] #31
    • [ ] #32
    enhancement help wanted 
    opened by NishantJoshi00 0
  • [FEATURE] Multiple Tenants: Storage Layer for Multiple Tenants

    [FEATURE] Multiple Tenants: Storage Layer for Multiple Tenants

    Description

    This will require use to create a tenant table which will store the public key that will be used to communicate with the locker.

    Requirements

    • Create database schema with the appropriate fields
    • Create Interface to provide API to communicate with the database
    enhancement 
    opened by NishantJoshi00 0
Releases(v0.1.3)
  • v0.1.3(Nov 24, 2023)

  • v0.1.2(Nov 21, 2023)

    0.1.2 (2023-11-21)

    Features

    • card+config: Add cards API and config pulling feature (1c9569c) by @NishantJoshi00
    • cargo: Add limiting and release build improvements (22bdcdd) by @NishantJoshi00
    • db: Add variable pool size (#45) (0f6ee81) by @NishantJoshi00
    • docker:
      • Add Dockerfile (107f53b) by @NishantJoshi00
      • Add docker file and test it (031d813) by @NishantJoshi00
    • hash: Add support for detecting data duplication (6a23a7d) by @NishantJoshi00
    • key_custodian: Encrypt master key with 2 custodian keys (064dcca) by @Chethan-rao
    • kms:
      • Integrate kms feature (ead558d) by @Chethan-rao
      • Integrate kms feature (00bf1ae) by @Chethan-rao
    • loadtest: Add support for loadtesting (fcb0428) by @NishantJoshi00
    • logging: Add logging framework (427db97) by @Chethan-rao
    • ratelimit: Add rate limit to delete api (845296e) by @NishantJoshi00
    • trace: Add tracing middleware for tracing requests (2b00866) by @NishantJoshi00
    • utils: Add utils binary for key generation (c3edc13) by @NishantJoshi00

    Bug Fixes

    • error: Rewrite the error framework with custom change contexts (af78b58) by @NishantJoshi00
    • loadtest: Add jwe to loadtest (afcfd8c) by @NishantJoshi00
    • validation: Add key validation and card number validation (250ebfa) by @NishantJoshi00
    • Fix clippy errors in main (93d9eb4) by @NishantJoshi00
    • Clippy lints (083e2f2) by @Chethan-rao

    Refactors

    • kms: Enable kms feature for configs (18fb1fa) by @Chethan-rao
    • Address requested changes (39b53c6) by @Chethan-rao
    • Add logs to existing routes (6525abe) by @Chethan-rao
    • Address requested changes (3ae7a9c) by @Chethan-rao
    • Hex decode master_key (b85d656) by @Chethan-rao

    Testing

    • crypto: Add tests for jwe (8744683) by @NishantJoshi00

    Documentation

    • crate: Add documentation for functions and interfaces (5d9ab51) by @NishantJoshi00
    • openapi: Add openapi spec to docs (9b58830) by @NishantJoshi00
    • setup: Add setup guide for locker (6f30ce6) by @NishantJoshi00
    • setup + readme: Improved database setup guide and added title to readme (#43) (0e311a7) by @NishantJoshi00
    • Create LICENSE (#44) (e7f7db4) by @NishantJoshi00

    Miscellaneous Tasks

    • tartarus: Bump the crate version to 0.1.2 (ecaa860) by @NishantJoshi00
    • Minor fixes (d23284b) by @NishantJoshi00
    • Fmt check (40ce145) by @NishantJoshi00
    • Minor fixes (6755d82) by @NishantJoshi00
    • Remove unnecessary clones from routes (b4bdb10) by @NishantJoshi00
    • Fix clippy + fmt errors (94c93c3) by @NishantJoshi00
    • Fix dockerfile (3794d99) by @NishantJoshi00
    • Fix error message and and custom status code mapping (e29650f) by @NishantJoshi00
    • Fix minor bugs after adding stricter linting (f8d7ac0) by @NishantJoshi00
    • Address comments and fix cargo hack (88ca5ee) by @NishantJoshi00
    • Format yaml files (678ae44) by @NishantJoshi00
    • Remove commented code (f16c841) by @NishantJoshi00
    • Remove redundant keys (5898755) by @NishantJoshi00
    • Remove cargo.toml changes (f548350) by @NishantJoshi00
    • Add formatting for markdown (c67b4c1) by @NishantJoshi00
    • Remove commented code and println (d2b5873) by @NishantJoshi00
    • Update README.md (65cc26d) by @ShankarSinghC
    • Add semi-colon in migrations to make it work (5c10107) by @NishantJoshi00
    • Remove default changes (34c376c) by @NishantJoshi00
    • Add env variables in setup.md (ef998a2) by @NishantJoshi00
    • Move allow blocks to functions (379ad8a) by @NishantJoshi00
    • Add example config (fe8ea20) by @NishantJoshi00
    • Fix merge conflicts (c5c57f6) by @NishantJoshi00
    Source code(tar.gz)
    Source code(zip)
Owner
Juspay Technologies
Design to simplify. Revolutionizing digital payments.
Juspay Technologies
Blockchain Business Card v2

This is NEAR chain dApp consisting a relatively simple smart contract written in rust and implemented with a react front end. The contract allows you to mint a business card for 5 NEAR.

Julio Ramirez 5 Feb 8, 2022
Open Protocol Indexer, OPI, is the best-in-slot open-source indexing client for meta-protocols on Bitcoin.

OPI - Open Protocol Indexer Open Protocol Indexer, OPI, is the best-in-slot open-source indexing client for meta-protocols on Bitcoin. OPI uses a fork

Best in Slot 33 Dec 16, 2023
Simple, reliable, open-source contract verification built for an L2 centric Ethereum ecosystem

Cove This repo contains the backend verification1 code for Cove, a simple, reliable, open-source contract verification built for an L2 centric Ethereu

ScopeLift 12 Apr 1, 2023
PolkaBTC Clients | Vault, Staked Relayer, Oracle, Faucet

PolkaBTC Clients Faucet, Oracle, Vault & Staked Relayer This project is currently under active development. Prerequisites Download and start Bitcoin C

Interlay 35 Dec 20, 2022
Simple (not simplest) UST vault that integrate with Anchor Protocol

Simple (not simplest) UST Vault Building a simple UST Vault that generate yield from Anchor while also have UST reserved for lending, and etc. This co

Kiettiphong Manovisut 2 May 3, 2022
Distributed Vault For Your Secrets

https://meta-secret.github.io Application Design Activity Diagram graph TD User --> |split password| MSS{MetaSecret} MSS --> |split| Hash1

Meta Secret 4 Nov 9, 2022
An example re-entrancy attack on a flashloan vault.

CosmWasm re-entrancy Exploit Example The exploit example is located in contracts/liquidity_hub/vault-network/exploit_contract. A vault in contracts/li

null 11 Dec 29, 2022
Most useful information about your system in a single command.

mymy Access the most common information about your system using a single command. Mymy is a command line tool that provides the most helpful informati

Théo Crevon 5 Apr 4, 2023
An open source Rust high performance cryptocurrency trading API with support for multiple exchanges and language wrappers. written in rust(🦀) with ❤️

Les.rs - Rust Cryptocurrency Exchange Library An open source Rust high performance cryptocurrency trading API with support for multiple exchanges and

Crabby AI 4 Jan 9, 2023
Crates - A collection of open source Rust crates from iqlusion

iqlusion crates ?? This repository contains a set of Apache 2.0-licensed packages (a.k.a. "crates") for the Rust programming language, contributed to

iqlusion 335 Dec 26, 2022
Open source Rust implementation of the Witnet decentralized oracle protocol, including full node and wallet backend 👁️🦀

witnet-rust is an open source implementation of the Witnet Decentralized Oracle Network protocol written in Rust. Components witnet-rust implements ma

The Witnet Project 155 Nov 21, 2022
[Open Source] Blockchain Decentralized Lightweight VPN in Rust

[Open Source] Blockchain Decentralized Lightweight VPN in Rust DCVPN_Rust (Decentralized VPN in Rust) is an open-source initiative started by @anandgo

Anand Gokul 29 Jun 2, 2023
Notabena, the pure Rust open-source note-taking app.

Notabena About Notabena is the free and open source note-taking app, written in pure Rust. Features These are our current planned features. (Most feat

Mart Zielman 7 Jun 22, 2023
An open source, high performance limit order book for the Seaport smart contracts. Implemented in Rust using ethers-rs, this offers a turnkey option for digital asset marketplaces.

Quay Quay is an open source, high performance backend for the Seaport smart contracts. The project is implemented in Rust, using Postgres as a storage

Valorem Labs Inc. 169 Jun 23, 2023
An extensible open-source framework for creating private/permissioned blockchain applications

Exonum Status: Project info: Community: Exonum is an extensible open-source framework for creating blockchain applications. Exonum can be used to crea

Exonum 1.2k Jan 1, 2023
HyperCube is a free and open source blockchain project for everyone to use.

XPZ Public Chain HyperCube is a free and open source blockchain project for everyone to use. 日本語 简体中文 正體中文 HyperCube Wiki Wha is HyperCube HyperCube i

null 949 Dec 31, 2022
CKB's vm, based on open source RISC-V ISA

Nervos CKB VM About CKB VM CKB VM is a pure software implementation of the RISC-V instruction set used as scripting VM in CKB. Right now it implements

Nervos Network 297 Jan 3, 2023
Outp0st is an open-source UI tool to enable next-level team collaboration on dApp development over Terra blockchain

Outp0st is an open-source UI tool to enable next-level team collaboration on dApp development over Terra blockchain

Genolis 2 May 4, 2022
An open source desktop wallet for nano and banano with end-to-end encrypted, on chain messaging using the dagchat protocol.

An open source wallet with end-to-end encrypted, on chain messaging for nano and banano using the dagchat protocol.

derfarctor 22 Nov 6, 2022