Java Other
Clone or download
csstaub Merge pull request #374 from square/cs/better-bcrypt-check
Improve bcrypt hash check on login
Latest commit daf8e62 Jun 12, 2018
Permalink
Failed to load latest commit information.
api Track expiration of client certificates in database Feb 15, 2018
cli Track expiration of client certificates in database Feb 15, 2018
client [maven-release-plugin] prepare for next development iteration Jun 27, 2017
docker Remove line about generating certs Feb 18, 2016
docs Track expiration of client certificates in database Feb 15, 2018
hkdf [maven-release-plugin] prepare for next development iteration Jun 27, 2017
log Add endpoint for encrypted group backup Jul 18, 2017
model Update dependency versions Dec 5, 2017
server Improve bcrypt hash check on log in an attempt to reduce timing diffe… Jun 11, 2018
testing [maven-release-plugin] prepare for next development iteration Jun 27, 2017
.gitignore Adds ability to choose different database backends. Jun 3, 2015
.travis.yml Run maven tests in batch mode Sep 21, 2017
BUG-BOUNTY.md Update bug bounty link Apr 11, 2018
CHANGELOG.md Changelog for Version 0.8 Jun 27, 2017
CONTRIBUTING.md Initial open-source commit Mar 27, 2015
CONTRIBUTORS Initial open-source commit Mar 27, 2015
Dockerfile Parameterize docker build to allow build profile selection Sep 21, 2017
LICENSE Initial open-source commit Mar 27, 2015
README.md Docu fix: corrected link to Keysync Aug 28, 2017
checkstyle.xml Initial open-source commit Mar 27, 2015
findbugs-exclude.xml Delete unused servlet after UI removal May 15, 2017
pom.xml Downgrade logback version Feb 14, 2018
update-javadocs.sh A little script to update javadocs Jun 27, 2017

README.md

Keywhiz

license maven build

Keywhiz is a system for distributing and managing secrets. For more information, see the website.

Our Protecting infrastructure secrets with Keywhiz blog post is worth reading, as it provides some useful context.

Develop

See CONTRIBUTING for details on submitting patches.

Build keywhiz:

# Build keywhiz for H2
mvn install -P h2

# Build keywhiz for MySQL
mvn install -P mysql

Run Keywhiz:

java -jar server/target/keywhiz-server-*-shaded.jar [COMMAND] [OPTIONS] 

Useful commands to get started are migrate, add-user and server. Use with --help for a list of all available commands. Use with [COMMAND] --help to get help on a particular command.

For example, to run Keywhiz with an H2 database in development mode:

SERVER_JAR="server/target/keywhiz-server-*-shaded.jar"
KEYWHIZ_CONFIG="server/target/classes/keywhiz-development.yaml.h2"

# Initialize dev database (H2)
java -jar $SERVER_JAR migrate $KEYWHIZ_CONFIG

# Add an administrative user
java -jar $SERVER_JAR add-user $KEYWHIZ_CONFIG

# Run server
java -jar $SERVER_JAR server $KEYWHIZ_CONFIG

To connect to a running Keywhiz instance, you will need to use the CLI.

An example helper shell script that wraps the keywhiz-cli and sets some default parameters:

#!/bin/sh

# Set the path to a compiled, shaded keywhiz-cli JAR file
KEYWHIZ_CLI_JAR="/path/to/keywhiz-cli-shaded.jar"
KEYWHIZ_SERVER_URL="https://$(hostname):4444"

# Use these flags if you want to specify a non-standard CA trust store
TRUSTSTORE="-Djavax.net.ssl.trustStore=/path/to/ca-bundle.jceks"
TRUSTTYPE="-Djavax.net.ssl.trustStoreType=JCEKS"

java "$TRUSTSTORE" "$TRUSTTYPE" -jar "$KEYWHIZ_CLI_JAR" -U "$KEYWHIZ_SERVER_URL" "$@"

Keywhiz uses jOOQ to talk to its database.

If you made changes to the database model and want to regenerate sources:

mvn install -pl model/ -Pgenerate-jooq-sources

We recommend IntelliJ IDEA for development.

Clients & API

Swagger API documentation

Client implementations maintained by Square:

  • Keywhiz-FS: a FUSE driver for exposing Keywhiz secrets as a filesystem. In maintenance mode.
  • Keysync: next-generation replacement for Keywhiz-FS based on tmpfs instead of FUSE.

Docker

We ship a Dockerfile for building a Docker container for keywhiz. Please see the Dockerfile for extra instructions.

License

Keywhiz is under the Apache 2.0 license. See the LICENSE file for details.