feat: Keyring

.github/workflows/start-binary.yml

@@ -48,7 +48,7 @@ jobs:
 
       - name: Attempt to start binary
         run: |
-          ./build/defradb start &
+          ./build/defradb start --no-keyring &
           sleep 5
 
       - name: Check if binary is still running

README.md

@@ -18,6 +18,7 @@ Read the documentation on [docs.source.network](https://docs.source.network/).
 ## Table of Contents
 
 - [Install](#install)
+- [Key Management](#key-management)
 - [Start](#start)
 - [Configuration](#configuration)
 - [External port binding](#external-port-binding)
@@ -58,6 +59,33 @@ export PATH=$PATH:$(go env GOPATH)/bin
 
 We recommend experimenting with queries using a native GraphQL client. GraphiQL is a popular option - [download and install it](https://altairgraphql.dev/#download).
 
+## Key Management
+
+DefraDB has a built in keyring that can be used to store private keys securely.
+
+The following keys are loaded from the keyring on start:
+
+- `peer-key` Ed25519 private key (required)
+- `encryption-key` AES-128, AES-192, or AES-256 key (optional)
+
+To randomly generate the required keys, run the following command:
+
+```
+defradb keyring generate
+```
+
+To import externally generated keys, run the following command:
+
+```
+defradb keyring import <name> <private-key-hex>
+```
+
+To learn more about the available options:
+
+```
+defradb keyring --help
+```
+
 ## Start
 
 Start a node by executing `defradb start`. Keep the node running while going through the following examples.

cli/cli.go

@@ -122,9 +122,17 @@ func NewDefraCommand() *cobra.Command {
 		collection,
 	)
 
+	keyring := MakeKeyringCommand()
+	keyring.AddCommand(
+		MakeKeyringGenerateCommand(),
+		MakeKeyringImportCommand(),
+		MakeKeyringExportCommand(),
+	)
+
 	root := MakeRootCommand()
 	root.AddCommand(
 		client,
+		keyring,
 		MakeStartCommand(),
 		MakeServerDumpCmd(),
 		MakeVersionCommand(),

cli/config.go

@@ -36,6 +36,7 @@ var configPaths = []string{
 	"datastore.badger.path",
 	"api.pubkeypath",
 	"api.privkeypath",
+	"keyring.path",
 }
 
 // configFlags is a mapping of config keys to cli flags to bind to.
@@ -57,6 +58,10 @@ var configFlags = map[string]string{
 	"api.allowed-origins":               "allowed-origins",
 	"api.pubkeypath":                    "pubkeypath",
 	"api.privkeypath":                   "privkeypath",
+	"keyring.namespace":                 "keyring-namespace",
+	"keyring.backend":                   "keyring-backend",
+	"keyring.path":                      "keyring-path",
+	"keyring.disabled":                  "no-keyring",
 }
 
 // defaultConfig returns a new config with default values.

cli/config_test.go

@@ -36,7 +36,6 @@ func TestLoadConfigNotExist(t *testing.T) {
 	require.NoError(t, err)
 
 	assert.Equal(t, 5, cfg.GetInt("datastore.maxtxnretries"))
-
 	assert.Equal(t, filepath.Join(rootdir, "data"), cfg.GetString("datastore.badger.path"))
 	assert.Equal(t, 1<<30, cfg.GetInt("datastore.badger.valuelogfilesize"))
 	assert.Equal(t, "badger", cfg.GetString("datastore.store"))
@@ -59,4 +58,9 @@ func TestLoadConfigNotExist(t *testing.T) {
 	assert.Equal(t, false, cfg.GetBool("log.source"))
 	assert.Equal(t, "", cfg.GetString("log.overrides"))
 	assert.Equal(t, false, cfg.GetBool("log.nocolor"))
+
+	assert.Equal(t, filepath.Join(rootdir, "keys"), cfg.GetString("keyring.path"))
+	assert.Equal(t, false, cfg.GetBool("keyring.disabled"))
+	assert.Equal(t, "defradb", cfg.GetString("keyring.namespace"))
+	assert.Equal(t, "file", cfg.GetString("keyring.backend"))
 }

cli/errors.go

@@ -16,6 +16,14 @@ import (
 	"github.com/sourcenetwork/defradb/errors"
 )
 
+const errKeyringHelp = `%w
+
+Did you forget to initialize the keyring?
+
+Use the following command to generate the required keys: 
+  defradb keyring generate
+`
+
 const (
 	errInvalidLensConfig        string = "invalid lens configuration"
 	errSchemaVersionNotOfSchema string = "the given schema version is from a different schema"
@@ -53,3 +61,7 @@ func NewErrSchemaVersionNotOfSchema(schemaRoot string, schemaVersionID string) e
 		errors.NewKV("SchemaVersionID", schemaVersionID),
 	)
 }
+
+func NewErrKeyringHelp(inner error) error {
+	return fmt.Errorf(errKeyringHelp, inner)
+}

cli/keyring.go

@@ -0,0 +1,25 @@
+// Copyright 2024 Democratized Data Foundation
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0, included in the file
+// licenses/APL.txt.
+
+package cli
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func MakeKeyringCommand() *cobra.Command {
+	var cmd = &cobra.Command{
+		Use:   "keyring",
+		Short: "Manage DefraDB private keys",
+		Long: `Manage DefraDB private keys.
+Generate, import, and export private keys.`,
+	}
+	return cmd
+}

cli/keyring_export.go

@@ -0,0 +1,41 @@
+// Copyright 2024 Democratized Data Foundation
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0, included in the file
+// licenses/APL.txt.
+
+package cli
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func MakeKeyringExportCommand() *cobra.Command {
+	var cmd = &cobra.Command{
+		Use:   "export <name>",
+		Short: "Export a private key",
+		Long: `Export a private key.
+Prints the hexadecimal representation of a private key.
+
+Example:
+  defradb keyring export encryption-key`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			keyring, err := openKeyring(cmd)
+			if err != nil {
+				return err
+			}
+			keyBytes, err := keyring.Get(args[0])
+			if err != nil {
+				return err
+			}
+			cmd.Printf("%x\n", keyBytes)
+			return nil
+		},
+	}
+	return cmd
+}

cli/keyring_generate.go

@@ -0,0 +1,62 @@
+// Copyright 2024 Democratized Data Foundation
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0, included in the file
+// licenses/APL.txt.
+
+package cli
+
+import (
+	"github.com/spf13/cobra"
+
+	"github.com/sourcenetwork/defradb/crypto"
+)
+
+func MakeKeyringGenerateCommand() *cobra.Command {
+	var noEncryption bool
+	var cmd = &cobra.Command{
+		Use:   "generate",
+		Short: "Generate private keys",
+		Long: `Generate private keys.
+Randomly generate and store private keys in the keyring.
+
+WARNING: This will overwrite existing keys in the keyring.
+
+Example:
+  defradb keyring generate
+
+Example: with no encryption key
+  defradb keyring generate --no-encryption-key
+
+Example: with system keyring
+  defradb keyring generate --keyring-backend system`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			keyring, err := openKeyring(cmd)
+			if err != nil {
+				return err
+			}
+			if !noEncryption {
+				// generate optional encryption key
+				encryptionKey, err := crypto.GenerateAES256()
+				if err != nil {
+					return err
+				}
+				err = keyring.Set(encryptionKeyName, encryptionKey)
+				if err != nil {
+					return err
+				}
+			}
+			peerKey, err := crypto.GenerateEd25519()
+			if err != nil {
+				return err
+			}
+			return keyring.Set(peerKeyName, peerKey)
+		},
+	}
+	cmd.Flags().BoolVar(&noEncryption, "no-encryption-key", false, "Skip generating an encryption key")
+	return cmd
+}

cli/keyring_import.go

@@ -0,0 +1,42 @@
+// Copyright 2024 Democratized Data Foundation
+//
+// Use of this software is governed by the Business Source License
+// included in the file licenses/BSL.txt.
+//
+// As of the Change Date specified in that file, in accordance with
+// the Business Source License, use of this software will be governed
+// by the Apache License, Version 2.0, included in the file
+// licenses/APL.txt.
+
+package cli
+
+import (
+	"encoding/hex"
+
+	"github.com/spf13/cobra"
+)
+
+func MakeKeyringImportCommand() *cobra.Command {
+	var cmd = &cobra.Command{
+		Use:   "import <name> <private-key-hex>",
+		Short: "Import a private key",
+		Long: `Import a private key.
+Store an externally generated key in the keyring.
+
+Example:
+  defradb keyring import encryption-key 0000000000000000`,
+		Args: cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			keyring, err := openKeyring(cmd)
+			if err != nil {
+				return err
+			}
+			keyBytes, err := hex.DecodeString(args[1])
+			if err != nil {
+				return err
+			}
+			return keyring.Set(args[0], keyBytes)
+		},
+	}
+	return cmd
+}

cli/root.go

@@ -139,5 +139,29 @@ Start a DefraDB node, interact with a local or remote node, and much more.
 		"Path to the private key for tls",
 	)
 
+	cmd.PersistentFlags().String(
+		"keyring-namespace",
+		"defradb",
+		"Service name to use when using the system backend",
+	)
+
+	cmd.PersistentFlags().String(
+		"keyring-backend",
+		"file",
+		"Keyring backend to use. Options are file or system",
+	)
+
+	cmd.PersistentFlags().String(
+		"keyring-path",
+		"keys",
+		"Path to store encrypted keys when using the file backend",
+	)
+
+	cmd.PersistentFlags().Bool(
+		"no-keyring",
+		false,
+		"Disable the keyring and generate ephemeral keys",
+	)
+
 	return cmd
 }

cli/start.go

@@ -14,7 +14,6 @@ import (
 	"fmt"
 	"os"
 	"os/signal"
-	"path/filepath"
 	"syscall"
 
 	"github.com/libp2p/go-libp2p/core/peer"
@@ -23,6 +22,7 @@ import (
 	"github.com/sourcenetwork/defradb/db"
 	"github.com/sourcenetwork/defradb/errors"
 	"github.com/sourcenetwork/defradb/http"
+	"github.com/sourcenetwork/defradb/keyring"
 	"github.com/sourcenetwork/defradb/net"
 	netutils "github.com/sourcenetwork/defradb/net/utils"
 	"github.com/sourcenetwork/defradb/node"
@@ -84,23 +84,32 @@ func MakeStartCommand() *cobra.Command {
 			}
 
 			if cfg.GetString("datastore.store") != configStoreMemory {
-				// It would be ideal to not have the key path tied to the datastore.
-				// Running with memory store mode will always generate a random key.
-				// Adding support for an ephemeral mode and moving the key to the
-				// config would solve both of these issues.
 				rootDir := mustGetContextRootDir(cmd)
-				key, err := loadOrGeneratePrivateKey(filepath.Join(rootDir, "data", "key"))
-				if err != nil {
-					return err
-				}
-				netOpts = append(netOpts, net.WithPrivateKey(key))
-
 				// TODO-ACP: Infuture when we add support for the --no-acp flag when admin signatures are in,
 				// we can allow starting of db without acp. Currently that can only be done programmatically.
 				// https://github.com/sourcenetwork/defradb/issues/2271
 				dbOpts = append(dbOpts, db.WithACP(rootDir))
 			}
 
+			if !cfg.GetBool("keyring.disabled") {
+				kr, err := openKeyring(cmd)
+				if err != nil {
+					return NewErrKeyringHelp(err)
+				}
+				// load the required peer key
+				peerKey, err := kr.Get(peerKeyName)
+				if err != nil {
+					return NewErrKeyringHelp(err)
+				}
+				netOpts = append(netOpts, net.WithPrivateKey(peerKey))
+				// load the optional encryption key
+				encryptionKey, err := kr.Get(encryptionKeyName)
+				if err != nil && !errors.Is(err, keyring.ErrNotFound) {
+					return err
+				}
+				storeOpts = append(storeOpts, node.WithEncryptionKey(encryptionKey))
+			}
+
 			opts := []node.NodeOpt{
 				node.WithPeers(peers...),
 				node.WithStoreOpts(storeOpts...),