secrets

command module

v0.0.0-...-c372385 Latest Latest Go to latest Published: Dec 11, 2014 License: MIT Imports: 26 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/tehmaze-labs/secrets

Links

Open Source Insights

README ¶

Secrets

Status: work in progress

Secrets is a repository of group encrypted blobs. Any authenticated node can retrieve and (over)write any secret.

When adding a secret, a node first generates a random 256 bit private key, suitable for NaCL box encryption. Nextly, it asks the secret server for all public keys of all the receiving nodes. Then the node will generate a message secret, encrypt this secret to all other node's public keys and pack the bundled message. This bundled message will now be stored on the server, and can be retrieved by any node.

Cryptography

The secrets server uses X.509 PKI to authenticate nodes. The nodes may use client certificates and the secrets server may verify those certificates, if configured.

The nodes use NaCL box public key encryption to encrypt message secrets. The message itself is symmetrically encrypted using a NaCL secret box.

Setting up

For a quick setup, use the testdata/init script to generate a self-signed certificate and box private key for the secrets server.

Configuration

The secrets groups may also include a box private key stored on the server, if for example the secrets server also has to have access to the secrets stored for the group. You can use multiple keys in multiple groups. In most cases, it is not desired to give the secrets server access to the group secrets. Of course you can also include the public key of your backup box(en) in the group.

Expanding the pool of nodes in a group

The secrets server does not take care of automagically re-encrypting secrets if a node joins a group, because under normal circumstances the secret server has no access to the decrypted data.

Message packets

Encrypted secrets will have to following format:

{
    "sender": "<32 byte public key>",
    "nonce":  "<24 byte nonce>",
    "secret": "<secret box>",
    "keys": {
        "<32 byte public key>": "<box>",
        ...
    }
}

All of the data in this message is BASE64 encoded. The box format is a sealed NaCL box encrypted from sender's private key to receiver's public key. The secret box format is a sealed NaCL box encrypted with the key stored in box.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
key
keyutil
router
secrets-client
storage
backend

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL