search

Consensys / web3signer

Web3Signer is an open-source signing service capable of signing on multiple platforms (Ethereum1 and 2, Filecoin) using private keys stored in an external vault, or encrypted on a disk.
https://docs.web3signer.consensys.net/
Apache License 2.0
183 stars 68 forks source link

Implement `unixSocket` as an option for communicating with Vault #972

Open gg718 opened 4 months ago

gg718 commented 4 months ago

I'm currently running a Vault Proxy sidecar alongside Web3Signer to handle auth and forward requests to Vault.

Each key file looks something like this:

keyName: key
keyPath: /v1/secret/data/holesky/12345
keyType: BLS
serverHost: localhost
serverPort: 8200
timeout: 30000
tlsEnabled: false
token: unused_handled_by_vault_proxy
type: hashicorp

In order to improve security (and, to a minimal extent, performance), it would be great to be able to configure Vault Proxy to use unix sockets:

listener "unix" {
  address = "/var/run/vault.sock"
}

and then specify:

unixSocket: /var/run/vault.sock

Rather than:

serverHost: localhost
serverPort: 8200

As it stands, any user able to access that port (e.g. via kubectl port-forward) can easily make authenticated requests to Vault via port 8200. Being able to send requests via a unix socket would improve the situation.