voltron

command module

v0.0.0-...-46c9509 Latest Latest Go to latest Published: Oct 16, 2021 License: MIT Imports: 2 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/bhoriuchi/voltron

Links

Open Source Insights

README ¶

voltron

A simple offline CA that provides a way to share securely share the key passphrase

How it works

Voltron works by using certstrap as a library to generate a simple offline CA. However, Volton requires a passphrase to be set on the CA private key. The private key passphrase is never exposed directly. Instead, the passphrase is split into a configurable number of parts using the HashiCorp Vault implementation of Shamir's Secret Sharing. In order to securely distribute these key parts, Voltron expects that a diverse group of "Trustees" each provide a public key to encrypt their allocated key part. This ensures each Trustee can only decrypt the key part they own.

Once the CA has been created, it can safely be stored offline. Trustees should also keep their secret key parts in a safe location

When a new certificate needs to be signed by the CA, Voltron is started in signing mode where it will generate an in-memory key pair and request ID for the signing request. The CSR, reqest ID, and in-memory public key are exported to a file that can be used by Trustees to approve the signing request. The Voltron process will stay active until enough trustee approval responses are submitted to recompose the passphrase for the CA's private key in order to complete the certificate singing process.

During a trustee approval, the trustee runs the trustee approve subcommand which will prompt the trustee for their key part. Once entered, this key part is encrypted with the public key provided in the request and exported to a response file that can be ingested by the active Voltron process.

High level procedure

Creating a CA

Create voltron config for the CA
Identify trustees and have trustees generate key-pairs voltron trustee keygen
Obtain public keys from trustees
Create the CA voltron ca init
Distribute encrypted keypart files (*.enc.keypart) to the appropriate trustees
Each trustee decrypts their key part voltron trustee import-keypart and stores it in a secure location
Store the CA cert, CRL, and encrypted private key in a secure location

Signing a Request

Restore the CA cert, CRL, and encrypted private key to a location where voltron can be run
Run voltron ca sign with the CSR to start the signing process
Distribute the signing request file (*.request.json) to all trustees
Each trustee approves the request with voltron trustee approve
Trustees send back their generated response files
Response files are submitted by placing them into the response directory for voltron to consume
Once enough responses are processed to recompose the passphrase, the process will complete and the signed certificate will be exported
All key responses should be deleted/destroyed

Manual fallback

Trustee's assemble the passphrase manually using their key parts
The passphrase is used to decrypt the CA key
Standard signing using a tool like OpenSSL can take place

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
pkg
ca
cli
trustee
util

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL