README
¶
Encryption Service
The Encryption Service is the user facing part of Encryptonize.
Development Prerequisites
You will need the following tools:
- Go (version 1.15+) - Install instructions
- Protobuf compiler (version 3.12+) - Install instructions
- Go plugin for protoc (version 1.25+) - Install instructions
- golangci-lint (version 1.33+) - Install instructions
- gocovmerge -
go get github.com/wadey/gocovmerge - Docker (version 19+) - Install instructions
- Docker Compose (version 1.27+)- Install instructions
- gRPC health probe (version 0.3.4+) - Install instructions
Additionally you need to add $(go env GOPATH)/bin to your PATH, i.e. by adding
export PATH=$PATH:$(go env GOPATH)/bin
or similar to your shell. For deployment to GKE clusters you will also need:
- GCloud - Install instructions
- kubectl - Install instructions
Building and running locally
You can build the Encryption Service by running:
make build
You can build the Encryption Service docker image by running:
make docker-build
This wil generate an image with the tag encryptonize.
In order to run the Encryption Service locally, you have two options: standalone and Docker Compose.
Standalone
A standalone instance of the Encryption Service can be started by calling
make run
This will expose the gRPC endpoints of Encryption Service on localhost:9000. To connect the
service to existing storage solutions you need to set the environment variables in scripts/run.sh.
Docker Compose
A selfcontained instance of Encryptonize can be started using Docker Compose. Note that this setup is only intended for test and development use.
To start the Docker Compose setup, call
make docker-up
This will start local instances of CockroachDB and MinIO and connect a dockerized version of the Encryption Service to these. An admin user with the following credentials will automatically be created:
User ID: 00000000-0000-4000-8000-000000000002
Access Token: 0000000000000000000000000000000000000000000000000000000000000002
The gRPC endpoints of the Encryption Service are exposed on localhost:9000. MinIO's web console is
exposed on localhost:7000 (ID storageid and key storagekey) while CockroachDB's web console is
exposed on localhost:7001.
When you are done with the service, stop it again by calling
make docker-down
Note that when using make docker-down data is not persisted. To keep data after shutting down the
instance, manually call docker-compose down. The setup can be tweaked by modifying the settings
in docker-compose.yml.
Running tests
Various levels of tests are available. In order to run static checks, call
make lint
Unit tests can be run with
make unit-tests
After starting a standalone instance or a Docker Compose instance, end-to-end tests can be run using
make e2e-tests
A coverage report for all tests can be generated using
make coverage
The Encryption Service Environment
The Encryption Service uses various environment variables to modify its behavior. The current environment variables are listed below:
| Name | Description |
|---|---|
| KEK | Key material as a 64 digit hex string |
| ASK | Key material as a 64 digit hex string |
| AUTH_STORAGE_URL | Connection URL for the auth storage |
| OBJECT_STORAGE_URL | Connection URL for the object store |
| OBJECT_STORAGE_ID | Key ID for the object store |
| OBJECT_STORAGE_KEY | Secret key for the object store |
| OBJECT_STORAGE_CERT | Certificate for the object store |
To modify the various make targets, set these environment variables in the relevant scripts in
scripts (see e.g. scripts/run.sh. To modify the docker-compose setup, set the
x-service-variables in docker-compose.yml.
Documentation
¶
Overview ¶
Copyright 2020 CYBERCRYPT
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Source Files
Directories