Keyhouse

Keyhouse is a skeleton of general-purpose Key Management System. Keyhouse is not an off-the-shelf system, and it's not ready for production. It's a skeleton of KMS.

• Keyhouse depends on Spire based zero trust infrastructure.
• Keyhouse provides a control plane for users to manage their Customer Keys, and a data plane which responds to data key encoding/decoding requests for data encryption and decryption.
• Keyhouse provides a "secret service" which stores a piece of data and responds to inqueries.
• Keyhouse uses etcd for stage.

More info can be found in the CNCF Cloud Native Rust Day 2021 presentation pdf and video.

Keyhouse is only a Rust lib (not a bin). To implement a real KMS, you must implement the KeyhouseImpl trait:

pub trait KeyhouseImpl: Send + Sync + Clone + std::fmt::Debug {
    type MasterKeyProvider: MasterKeyProvider + 'static; // Master key provider
    type CustomerItem: CodingItem + 'static;             // Customer Key codec
    type IntermediateItem: CodingItem + 'static;         // Intermediate Key codec
    type ClientCoding: ClientCoding + 'static;           // Data Key codec
    type ControlPlaneAuth: ControlPlaneAuth + 'static;   // Control plane authentication/authorization
    type AlternateDataAuthToken: AlternateDataAuthToken + 'static; // Secondary token-based authentication
    type AlternateDataAuthProvider: AlternateDataAuthProvider<Self::AlternateDataAuthToken> + 'static;
    type KeyhouseExt: KeyhouseExt + 'static;             // Handy functions for regioning/logging/authorization
}

We will provide a reference implementation in the future to provide:

• AES-256-GCM encryption for IntermediateKey/CustomerKey/DataKey/Secrets
• Go/C++/Python/Java client SDKs
• Sample setup of Spire based zero trust infrastructure and Keyhouse's integration

Documents

• Keyhouse Encryption
• Keyhouse SPIFFE Integration
• Keyhouse Backend Storage
• Keyhouse Data Plane
• Keyhouse Control Plane

Project structure

.
├── Cargo.lock              # dependency lock file
├── Cargo.toml              # main Cargo.toml
├── Readme.md
├── build.rs                # project build script
├── certs                   # dummy certificate for testing
├── conf                    # dummy configurations
├── docs                    # open source documentation
├── examples                # sample server
├── proto                   # grpc proto definition
├── src                     # source code
├── test_etcd               # scripts to launch testing etcd service
├── tests                   # self-contained end-to-end roundtrip setup
└── vendor                  # vendored dependencies

Build

The default cargo build only builds the library.

Example server

cargo build --examples

The output binary is at ./target/debug/examples/server. This example does not contain real crypto primitives. It is intentional, as every user might have their own encryption standard.

fn encode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
    if !input.is_empty() {
        input[0] = input[0].wrapping_add(1);
    }
    input.reverse();
    Ok(input)
}

fn decode_data_with_iv(&mut self, mut input: Vec<u8>, _iv: &[u8]) -> Result<Vec<u8>> {
    input.reverse();
    if !input.is_empty() {
        input[0] = input[0].wrapping_sub(1);
    }
    Ok(input)
}

Testing

First, make sure you have this line in your /etc/hosts:

127.0.0.1 localtest.me

Then, start an etcd using ./test_etcd/local.sh and keep it running. Next, run

cargo test

Authors

• Lingxiang "LinG" Wang
• Maxwell Bruce
• Ruide Zhang
• Sergey Shekyan
• Yu Ding

and the fine folks at ByteDance

License

Apache 2.0