keyfob

package module

v0.0.0-...-13c2407 Latest Latest Go to latest Published: May 24, 2019 License: Apache-2.0 Imports: 10 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sakjur/keyfob

Links

Open Source Insights

README ¶

Keyfob

Please note, Keyfob is still very much alpha-grade software.

Keyfob is a medium-scale† per-user encryption key-management system. For every user, Keyfob may track multiple namespaces which can be used to keep track of different kinds of data (e.g. to separate the different legal grouds for processing data as defined in the EU General Data Protection Regulation). In addition to this, Keyfob uses key-derivation where the root key is paired with a service key (presumably unique to the service) which effectively gives every user a unique key for every combination of namespace and service.

The design is heavily influenced by the Scalable User Privacy blog post from Spotify describing their Padlock service. One goal of Keyfob is to provide the functionality described by Padlock while implementing some of the improvements suggested in the blog post.

†: Keyfob is built to support high availability and to scale, but supporting applications with millions of requests per second is not an explicit goal of Keyfob.

Build

TBD

Documentation

Keyfob was inspired by the blog post Scalable User Privacy by Spotify Labs.

Copyright

This project is licensed under the Apache 2 license, which can be read in its entirety in the LICENSE-file.

Copyright 2019 Emil Tullstedt

Documentation ¶

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type KeyFobService ¶

type KeyFobService struct {
	Vault KeyVault
}

KeyFobService implements the KeyFob gRPC service. All keys which are returned are derived from both the key stored in the vault and the provided service key.

func (KeyFobService) DeleteKey ¶

func (s KeyFobService) DeleteKey(ctx context.Context, req *proto.DeleteKeyRequest) (*empty.Empty, error)

DeleteKey permanently deletes a key from the vault.

func (KeyFobService) GenerateKey ¶

func (s KeyFobService) GenerateKey(ctx context.Context, req *proto.GenerateKeyRequest) (*proto.EncryptionKey, error)

GenerateKey fetches a key from the vault matching the key in the request, creating it if it doesn't exist.

func (KeyFobService) ListKeys ¶

func (s KeyFobService) ListKeys(ctx context.Context, req *proto.ListKeysRequest) (*proto.ListKeysResponse, error)

ListKeys returns all the keys which exists for a user in a vault.

type KeyVault ¶

type KeyVault interface {
	ListKeys(userid uuid.UUID) ([]*StoredKey, error)
	GetKey(userid uuid.UUID, category string) (*StoredKey, error)
	// Repeated insertion of key should not update the key. Only the first
	// key inserted should be persisted. Collision on persistence is not
	// considered an error.
	InsertKey(userid uuid.UUID, category string, key []byte) error
	DeleteKey(userid uuid.UUID, category string) error
}

A KeyVault is an abstract description of a secure storage location for root keys.

type StoredKey ¶

type StoredKey struct {
	Key      []byte
	User     uuid.UUID
	Category string
}

StoredKey is the representation of a key from the vault.

type UserKeyPointer ¶

type UserKeyPointer struct {
	UserID     uuid.UUID
	Category   string
	ServiceKey []byte
}

UserKeyPointer is a struct which maps out a single cryptographic key from a KeyVault.

func (*UserKeyPointer) CreateKey ¶

func (k *UserKeyPointer) CreateKey(vault KeyVault) error

CreateKey generates and inserts a new root key for the user.

func (*UserKeyPointer) DeleteKey ¶

func (k *UserKeyPointer) DeleteKey(vault KeyVault) error

DeleteKey permanently deletes a key from the vault.

func (*UserKeyPointer) DeriveKey ¶

func (k *UserKeyPointer) DeriveKey(vault KeyVault) ([]byte, error)

DeriveKey fetches the root key for the user within the data category and combines it with the service key to derive a new key which the service can use to encrypt data securely.

The service key must be longer than 128 bits.

func (*UserKeyPointer) ListUserKeys ¶

func (k *UserKeyPointer) ListUserKeys(vault KeyVault) ([]*StoredKey, error)

ListUserKeys lists all keys for a user combined with the service key to lower the number of round-trips that a service needs to do in order to decrypt user data.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
bolt
cmd
fobc
keyfobd

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL