Keyhouse is a skeleton of general-purpose Key Management System. Keyhouse is not an off-the-shelf system, and it's not ready for production. It's a skeleton of KMS.
More info can be found in the CNCF Cloud Native Rust Day 2021 presentation pdf and video.
Keyhouse is only a Rust lib
(not a bin
). To implement a real KMS, you must implement the KeyhouseImpl
trait:
pub trait KeyhouseImpl: Send + Sync + Clone + std::fmt::Debug {
type MasterKeyProvider: MasterKeyProvider + 'static; // Master key provider
type CustomerItem: CodingItem + 'static; // Customer Key codec
type IntermediateItem: CodingItem + 'static; // Intermediate Key codec
type ClientCoding: ClientCoding + 'static; // Data Key codec
type ControlPlaneAuth: ControlPlaneAuth + 'static; // Control plane authentication/authorization
type AlternateDataAuthToken: AlternateDataAuthToken + 'static; // Secondary token-based authentication
type AlternateDataAuthProvider: AlternateDataAuthProvider<Self::AlternateDataAuthToken> + 'static;
type KeyhouseExt: KeyhouseExt + 'static; // Handy functions for regioning/logging/authorization
}
We will provide a reference implementation in the future to provide:
.
├── Cargo.lock # dependency lock file
├── Cargo.toml # main Cargo.toml
├── Readme.md
├── build.rs # project build script
├── certs # dummy certificate for testing
├── conf # dummy configurations
├── docs # open source documentation
├── examples # sample server
├── proto # grpc proto definition
├── src # source code
├── test_etcd # scripts to launch testing etcd service
├── tests # self-contained end-to-end roundtrip setup
└── vendor # vendored dependencies
The default cargo build
only builds the library.
cargo build --examples
The output binary is at ./target/debug/examples/server
. This example does not contain real crypto primitives. It is intentional, as every user might have their own encryption standard.
fn encode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
if !input.is_empty() {
input[0] = input[0].wrapping_add(1);
}
input.reverse();
Ok(input)
}
fn decode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
input.reverse();
if !input.is_empty() {
input[0] = input[0].wrapping_sub(1);
}
Ok(input)
}
First, make sure you have this line in your /etc/hosts
:
127.0.0.1 localtest.me
Then, start an etcd using ./test_etcd/local.sh
and keep it running. Next, run
cargo test
and the fine folks at ByteDance
Apache 2.0