bytedance / keyhouse

Keyhouse is a skeleton of general-purpose Key Management System written in Rust.
https://static.sched.com/hosted_files/cloudnativerustdayeu21/55/Keyhouse-Bruce-Ding-Shekyan.pdf
Apache License 2.0
163 stars 12 forks source link

Keyhouse

Keyhouse is a skeleton of general-purpose Key Management System. Keyhouse is not an off-the-shelf system, and it's not ready for production. It's a skeleton of KMS.

More info can be found in the CNCF Cloud Native Rust Day 2021 presentation pdf and video.

Keyhouse is only a Rust lib (not a bin). To implement a real KMS, you must implement the KeyhouseImpl trait:

pub trait KeyhouseImpl: Send + Sync + Clone + std::fmt::Debug {
    type MasterKeyProvider: MasterKeyProvider + 'static; // Master key provider
    type CustomerItem: CodingItem + 'static;             // Customer Key codec
    type IntermediateItem: CodingItem + 'static;         // Intermediate Key codec
    type ClientCoding: ClientCoding + 'static;           // Data Key codec
    type ControlPlaneAuth: ControlPlaneAuth + 'static;   // Control plane authentication/authorization
    type AlternateDataAuthToken: AlternateDataAuthToken + 'static; // Secondary token-based authentication
    type AlternateDataAuthProvider: AlternateDataAuthProvider<Self::AlternateDataAuthToken> + 'static;
    type KeyhouseExt: KeyhouseExt + 'static;             // Handy functions for regioning/logging/authorization
}

We will provide a reference implementation in the future to provide:

Documents

Project structure

.
├── Cargo.lock              # dependency lock file
├── Cargo.toml              # main Cargo.toml
├── Readme.md
├── build.rs                # project build script
├── certs                   # dummy certificate for testing
├── conf                    # dummy configurations
├── docs                    # open source documentation
├── examples                # sample server
├── proto                   # grpc proto definition
├── src                     # source code
├── test_etcd               # scripts to launch testing etcd service
├── tests                   # self-contained end-to-end roundtrip setup
└── vendor                  # vendored dependencies

Build

The default cargo build only builds the library.

Example server

cargo build --examples

The output binary is at ./target/debug/examples/server. This example does not contain real crypto primitives. It is intentional, as every user might have their own encryption standard.

fn encode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
    if !input.is_empty() {
        input[0] = input[0].wrapping_add(1);
    }
    input.reverse();
    Ok(input)
}

fn decode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
    input.reverse();
    if !input.is_empty() {
        input[0] = input[0].wrapping_sub(1);
    }
    Ok(input)
}

Testing

First, make sure you have this line in your /etc/hosts:

127.0.0.1 localtest.me

Then, start an etcd using ./test_etcd/local.sh and keep it running. Next, run

cargo test

Authors

and the fine folks at ByteDance

License

Apache 2.0