citadel

module
v0.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 21, 2018 License: Apache-2.0

README

Welcome to KMS!

KMS is a simple daemon that implements the Kubernetes Key Management Service interface by acquiring a key encryption key (KEK) from an arbitrary command. This makes it easy to plug in your own key management solution as a simple unix command that returns the KEK.

How does it work?

When KMS starts, it runs the command you provide it. This command returns the KEK on standard output. If this command fails during startup, the KMS will exit. Otherwise, it will use the KEK from the command to encrypt and decrypt input from Kubernetes.

KMS caches the KEK, and thus does not call the command on every incoming request. The time limit of this cache is specified by the timeout argument. If the KMS is not able to refresh the cache after trying several times, it will purge the KEK and report errors to Kubernetes. If the KMS eventually succeeds in acquiring the KEK, normal operation will resume.

To specify the socket to create, use the endpoint argument. Otherwise, socket activation is assumed.

Arguments

Required
  • --command string: the command to retrieve the key encryption key
Optional
  • --endpoint string: the listen address (ex. unix:///tmp/kms.sock)

  • --timeout duration: maximum time to cache KEK locally (default 1h)

  • --mode string: encryption mode to use, the options are [aescbc] (default "aescbc")

Crypto Details

The KEK is currently used to do AES-CBC encryption. This does not provide ciphertext authentication. Other methods are being considered with the intent of providing cryptographic agility and features such as authentication.

Directories

Path Synopsis
api
v1beta1
Package v1beta1 is a generated protocol buffer package.
Package v1beta1 is a generated protocol buffer package.
cmd
kms
pkg
kek
kms

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL