etcvault

command module

v0.3.1 Latest Latest Go to latest Published: Apr 30, 2015 License: MIT Imports: 17 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sorah/etcvault

Links

Open Source Insights

README ¶

etcvault - proxy for etcd, adding transparent encryption

Features

Works as reverse proxy to etcd
- Can discover other etcd members
- Support etcd 2.0.x
Transparent value decryption for GET
Transparent value encryption for POST, PUT, PATCH
Multiple keys

Motivation

Maintaining multiple etcd clusters is hard. We wanted to use same etcd cluster for across services, entire our infrastructure.

But currently etcd has no ACL like feature. All server can read any values even if it's not required for that server (e.g. credentials for different service). That's the reason why I developed Etcvault.

And I know there's ongoing RFC for etcd, about ACL: https://github.com/coreos/etcd/blob/master/Documentation/rfc/api_security.md

Example

Generate key first.

$ mkdir /tmp/keychain
$ etcvault keygen -save /tmp/keychain my-key

Start etcd and etcvault.

$ etcd -listen-client-urls http://127.0.0.1:2380 &
$ etcvault start -listen http://127.0.0.1:2381 -initial-backends http://127.0.0.1:2379 -keychain /tmp/keychain &

Set plain text

$ etcdctl --peers http://127.0.0.1:2381 set greeting hello
hello
$ etcdctl get greeting
hello

Try encryption/decryption

(this means encrypt "hello" with "my-key")
$ etcdctl --peers http://127.0.0.1:2381 set greeting 'ETCVAULT::plain:my-key:hello::ETCVAULT'
hello

$ etcdctl --peers http://127.0.0.1:2381 get greeting
hello

(cannot read directly)
$ etcdctl --peers http://127.0.0.1:2379 get greeting
ETCVAULT::1:my-key::CMOAuEHp/gcbUFvRuQDDMtpIEl/MQ/2OeYT8sluZs8Fc+YjEalDGHzYSn5MM9FafD9fGMHg9ODPYKNk83i1xXZ9zRhKWeuvG8VrU0DlIQ0hdV3px2hDgJppQBYGfr7QVs/0CKaDFUpkMPuhp6dGkzJ+73ZllL3BTb5UjdW3yizYUB82Qs3fwEUZJnLTCvuejxzMF64weInQXnTBkVrt1Mq/QjBWVJvZty8vvAeEHDKo6n5NpgVlZrn48yVHdKWBzO2z5mQO4VK3MPfLUMPQgUsOBqqbUd4N/NjfxCmPL3cO+Y3FD4WiPvbKGGz6IjFnPr7MoWs8etV+vIC/33gOGSQ==::ETCVAULT

You can transform ETCVAULT::...::ETCVAULT string to proper format using command

$ etcvault transform -keychain /tmp/keychain 'ETCVAULT::1:my-key::CMOAuEHp/gcbUFvRuQDDMtpIEl/MQ/2OeYT8sluZs8Fc+YjEalDGHzYSn5MM9FafD9fGMHg9ODPYKNk83i1xXZ9zRhKWeuvG8VrU0DlIQ0hdV3px2hDgJppQBYGfr7QVs/0CKaDFUpkMPuhp6dGkzJ+73ZllL3BTb5UjdW3yizYUB82Qs3fwEUZJnLTCvuejxzMF64weInQXnTBkVrt1Mq/QjBWVJvZty8vvAeEHDKo6n5NpgVlZrn48yVHdKWBzO2z5mQO4VK3MPfLUMPQgUsOBqqbUd4N/NjfxCmPL3cO+Y3FD4WiPvbKGGz6IjFnPr7MoWs8etV+vIC/33gOGSQ==::ETCVAULT'
hello

Detailed Usage

Generate keys

$ etcvault keygen NAME
$ etcvault keygen -save /path/to/keychain/directory NAME

for more options, see help.

Start proxy

$ etcvault start -keychain /path/to/keychain/directory -listen http://localhost:2381 -initial-backends http://etcd:2379

Options

-listen: URL to listen to.
-advertise-url: URL to advertise. Used for /v2/members and /v2/machines response.
-keychain: Path to directory contains key files

Discovery options

Must be present -initial-backends or -discovery-srv. Backends are discovered using etcd's API.

-initial-backends: etcd client URLs separated by comma. (e.g. http://etcd-1:2379,http://etcd-2:2379,...)
-discovery-srv: FQDN to look up _etcd-server._tcp and _etcd-server-ssl._tcp SRV records.

TLS support

etcvault supports HTTPS for both, transport with etcd and listening.

Listen https

just specify HTTPS url to -listen (e.g. https://localhost:2381). Valid certificate options are required.

CA and key files

client:
- -client-ca-file
  - Used to validate etcd client port's server certificate.
  - Also, when etcvault is listening HTTPS, and both -listen-key-file -listen-cert-file aren't present, this CA certificate will be used to validate etcvault's client certificate.
- -client-key-file, client-cert-file
  - Used as client certificate to send to etcd client port.
  - Also, when etcvault is listening HTTPS, and both -listen-key-file -listen-cert-file aren't present, this certificate will be used as etcvault's server certificate.
listen:
- -listen-ca-file
  - When present with -listen-key-file and -listen-cert-file, etcvault will validate its client's certificate using this CA file.
  - (only valid when -listen-key-file and -listen-cert-file are present)
- -listen-key-file, listen-cert-file
  - When present, etcvault won't use -client-* for etcvault's TLS server.
  - This certificate is used for etcvault's server certificate
peer:
- -peer-ca-file
  - Used to validate etcd peer port's server sertificate.
- -peer-key-file, peer-cert-file
  - Used as client certificate to send to etcd peer port.
- Note: etcvault communicates with etcd peer ports when using -discovery-srv option. If you're not using it, you can omit -peer-*.

Key distribution

There's no best way to distribute keys. Try to do with your using server provisioning tools.

Here's what file's required for encryption/decryption:

Hosts that only encryption
- Place ${KEYCHAIND_DIR}/${KEY_NAME}.pub
Hosts that can do decryption
- Place ${KEYCHAIND_DIR}/${KEY_NAME}.pem
- ${KEY_NAME}.pub is not necessary.

FAQ

Why etcvault communicate with etcd peer port?

etcvault communicates with etcd peer port when you're using -discovery-srv option. Because SRV records are points to peer port.

License

MIT License

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
container
engine
keys
proxy

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL