Skip to content

Ockam v0.71.0
Compare
Choose a tag to compare
@github-actions github-actions released this 29 Aug 23:57
· 0 commits to f3ec72ac14df519df7d4e8306f8d11ee4140d618 since this release
ockam_v0.71.0
This tag was signed with the committer’s verified signature.
ockam-team Ockam Developers
GPG key ID: 11E227E7093E6E91
Learn about vigilant mode.
45f8e12
This commit was signed with the committer’s verified signature.
ockam-team Ockam Developers
GPG key ID: 11E227E7093E6E91
Learn about vigilant mode.

Encrypted Cloud Relays - for any application!

This release introduces Ockam Orchestrator! A cloud service that helps you orchestrate end-to-end encryption, mutual authentication, key management, credential management & authorization policy enforcement — at scale.

Let's create an end-to-end encrypted, mutually authenticated, secure and private cloud relay:

# Install ockam command
$ brew install build-trust/ockam/ockam

# Create a cryptographic identity and enroll with Ockam Orchestrator.
# This will sign you up for an account with Ockam Orchestrator and setup a
# hobby space and project for you.
$ ockam enroll

# Start our application service, listening on a local ip and port, that clients
# would access through the cloud relay. We'll use a simple http server for our
# first example but this could be some other application service.
$ python3 -m http.server --bind 127.0.0.1 5000

# Setup an ockam node, called blue, as a sidecar next to our application service.
# Create a tcp outlet on the blue node to send raw tcp traffic to the application service.
# Then create a forwarding relay at your default orchestrator project to blue.
$ ockam node create blue
$ ockam tcp-outlet create --at /node/blue --from /service/outlet --to 127.0.0.1:5000
$ ockam forwarder create blue --at /project/default --to /node/blue

# Setup an ockam node, called green, as a sidecar next to our application client.
# Then create an end-to-end encrypted secure channel with blue, through the cloud relay.
# Then tunnel traffic from a local tcp inlet through this end-to-end secure channel.
$ ockam node create green
$ ockam secure-channel create --from /node/green \
    --to /project/default/service/forward_to_blue/service/api \
        | ockam tcp-inlet create --at /node/green --from 127.0.0.1:7000 --to -/service/outlet

# Access the application service though the end-to-end encrypted, secure relay.
$ curl 127.0.0.1:7000

We just created end-to-end encrypted, mutually authenticated, and authorized secure communication between a tcp client and server. This client and server can be running in separate private networks / NATs. We didn't have to expose our server by opening a port on the Internet or punching a hole in our firewall.

The two sides authenticated and authorized each other's known, cryptographically provable identifiers. In later examples we'll see how we can build granular, attribute-based access control with authorization policies.

To learn more, install and run ockam --help

Homebrew

To install this release using Homebrew:

$ brew install build-trust/ockam/ockam

Docker

To use the Docker OCI package:

docker pull ghcr.io/build-trust/ockam:0.71.0

Precompiled Binaries

To install a precompiled binary:

# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \
  https://github.com/build-trust/ockam/releases/download/ockam_v0.71.0/ockam.x86_64-unknown-linux-gnu

# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam

Verify:

# download sha256sums.txt
curl --proto '=https' --tlsv1.2 -sSfL -O \
  https://github.com/build-trust/ockam/releases/download/ockam_v0.71.0/sha256sums.txt

# download sha256sums.txt.sig
curl --proto '=https' --tlsv1.2 -sSfL -O \
  https://github.com/build-trust/ockam/releases/download/ockam_v0.71.0/sha256sums.txt.sig

# download our release public key
curl --proto '=https' --tlsv1.2 -sSfL -o ockam.pub \
  https://raw.githubusercontent.com/build-trust/ockam/develop/tools/docker/cosign.pub

# verify signatures
cosign verify-blob --key ockam.pub --signature sha256sums.txt.sig sha256sums.txt

# download ockam command binary for your architecture
curl --proto '=https' --tlsv1.2 -sSfL -O \
  https://github.com/build-trust/ockam/releases/download/ockam_v0.71.0/ockam.x86_64-unknown-linux-gnu

# verify that the sha256 hash of the downloaded binary is the same as
# the corresponding hash mentioned in sha256sums.txt
cat sha256sums.txt | grep ockam.x86_64-unknown-linux-gnu | sha256sum -c

# rename the download binary and give it permission to execute
mv ockam.x86_64-unknown-linux-gnu ockam
chmod u+x ockam
Assets 16
Loading