Skip to content

Latest commit

 

History

History
92 lines (58 loc) · 3.47 KB

README.md

File metadata and controls

92 lines (58 loc) · 3.47 KB

Arx - Key Management Service

GoDoc Build StatusGo Report Card

What is Arx?

Arx is an encryption Key Management Service written in GO. Modelled extensively on AWS KMS behaviour, the API is used for symmetrical key management. It offers Cryptography as a Service (CaaS) functionality such as encryption / decryption / re-encryption without exposing keys.

The crypto provider is based on AES and a key size of 256bits using the GCM cipher to provide confidentiality as well as authentication.

Keys are encrypted and stored on disk/couchbase/boltdb, using a master key which is derived using PBKDF2 from a passphrase.

Arxclient - Command Line Interface

Arxclient is a command line interface which can be used to manage and interact with arx.

Features

  • AES Key store
  • Cryptography as a Service
    • Encrypt
    • Decrypt
    • Re-encrypt
  • Keys encrypted while at rest
  • Key rotation on demand

How-To

Install arx

$ go get github.com/keithballdotnet/arx

Start service with defaults

$ arx --ph "some 32 character passphrase that you can use to be your derived key"

Create a new key

$ arxclient create -d "example"
2016/03/22 21:17:16 Create new key
2016/03/22 21:17:16 KeyID:"ddb6b5d0-15da-4f41-92db-6480953464df" CreationDateRFC3339Nano:"2016-03-22T20:17:16.558504583Z" Description:"example" Enabled:true

AWS Style Key Management Service

The encryption follows the pattern as specified in the in the KMS Cryptographic Whitepaper.

For each peice of data that needs encryption a new DataKey will be requested from KMS. The key will return an encrypted version of the key and a plaintext version of the key. The plaintext version of the key will be used to encrypt the data. It will be then combined into an envelop of data ready for persistence.

Upon a request for decryption the data envelope will be inspected, the encrypted key extracted and then decrypted by the KMS server. The decrypted key can then be used to decrypt the body of the data.

Good resources:

KMS

Roadmap

  • Key Pairs auth?
  • Some other auth modes
  • Key audit logs?
  • Diagnostics?

Protobuf Development Set Up

Install protobuf

Download version 3 from... https://github.com/google/protobuf/releases

Install the golang grpc

sudo -E go get -a github.com/golang/protobuf/protoc-gen-go

Install the grpc examples

go get -u google.golang.org/grpc

Converting the .proto file

protoc --go_out=plugins=grpc:. src/github.com/keithballdotnet/arx/proto/arx.proto