Arx is an encryption Key Management Service written in GO. Modelled extensively on AWS KMS behaviour, the API is used for symmetrical key management. It offers Cryptography as a Service (CaaS) functionality such as encryption / decryption / re-encryption without exposing keys.
The crypto provider is based on AES and a key size of 256bits using the GCM cipher to provide confidentiality as well as authentication.
Keys are encrypted and stored on disk/couchbase/boltdb, using a master key which is derived using PBKDF2 from a passphrase.
Arxclient is a command line interface which can be used to manage and interact with arx.
- AES Key store
- Cryptography as a Service
- Encrypt
- Decrypt
- Re-encrypt
- Keys encrypted while at rest
- Key rotation on demand
$ go get github.com/keithballdotnet/arx$ arx --ph "some 32 character passphrase that you can use to be your derived key"$ arxclient create -d "example"
2016/03/22 21:17:16 Create new key
2016/03/22 21:17:16 KeyID:"ddb6b5d0-15da-4f41-92db-6480953464df" CreationDateRFC3339Nano:"2016-03-22T20:17:16.558504583Z" Description:"example" Enabled:trueThe encryption follows the pattern as specified in the in the KMS Cryptographic Whitepaper.
For each peice of data that needs encryption a new DataKey will be requested from KMS. The key will return an encrypted version of the key and a plaintext version of the key. The plaintext version of the key will be used to encrypt the data. It will be then combined into an envelop of data ready for persistence.
Upon a request for decryption the data envelope will be inspected, the encrypted key extracted and then decrypted by the KMS server. The decrypted key can then be used to decrypt the body of the data.
- AWS KMS: https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf
- MS Key Vault: https://msdn.microsoft.com/en-US/library/azure/dn903623
- Key Pairs auth?
- Some other auth modes
- Key audit logs?
- Diagnostics?
Download version 3 from... https://github.com/google/protobuf/releases
sudo -E go get -a github.com/golang/protobuf/protoc-gen-go
go get -u google.golang.org/grpc
protoc --go_out=plugins=grpc:. src/github.com/keithballdotnet/arx/proto/arx.proto