public/kms
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kms/README.md
JosePisco 3ad1bc7217
feat: OpenSSL crypto support for kms/crate/utils with full FIPS support (#115) 
* Rebase grnx-fix-fips from develop

* Pull Cargo.lock from develop

* fips: fixed test_password_wrap_import and opened issue #124

* fips: generated non-deprecated pkcs12 certificates

* test: fix old uid size in test covercrypt import key

* fix: revert some unneeded changes

* fixbug: padded be bytes key conversions

* fix: typos

* ci: rewrite tests in container

* Revert "ci: rewrite tests in container"

This reverts commit 7adb273660.

* ci: redis hostname 0.0.0.0

* docs: wrote docs on fips algorithms

* ci: use host addresses for docker containers use

* ci: merge ubuntu workflows

* fixbug: padded remnant conversions with âd_be_bytes() on other files

* fix: given mutability in function call in pad_be_bytes()

* ci: re-add test var. env. for Google CSE

* ci: re-add test var. env. for Google CSE

* bugfix: to_u32_digits() created little-endian u32 from big endian bytes.

* fix: Remove bootstrap server and enclave (#122)

* Remove bootstrap server

* Remove enclave-related stuff

* Apply suggestions from code review

Co-authored-by: heavenboy <49846064+heavenboy8@users.noreply.github.com>

* Update crate/server/README.md

Co-authored-by: heavenboy <49846064+heavenboy8@users.noreply.github.com>

* Renaming verify_cert into client_cert

* Add KMS supervisor conf and instructions

* remove acme dep

---------

Co-authored-by: heavenboy <49846064+heavenboy8@users.noreply.github.com>
Co-authored-by: Sébastien Lambert <sebastien.lambert@cosmian.com>

* comments: added hunk of comments on bugfix for to_u32_digits()

* fix: remove useless deps from Cargo.toml

* bugfix: padded in kmip_data_structure an EC private key from BigUint to bytes

* fix: remove openssl from cli

---------

Co-authored-by: Bruno Grieder <bruno.grieder@cosmian.com>
Co-authored-by: Manuthor <manu.coste@gmail.com>
Co-authored-by: Thibs <ThibsG@users.noreply.github.com>
Co-authored-by: heavenboy <49846064+heavenboy8@users.noreply.github.com>
Co-authored-by: Sébastien Lambert <sebastien.lambert@cosmian.com>
2023-12-21 12:07:11 +01:00

2.9 KiB
Raw Blame History

Cosmian KMS

Build status

Cosmian KMS is an open-source implementation of a high-performance, massively scalable, Key Management System that presents some unique features, such as

  • the ability to run in a public cloud - or any zero-trust environment - using application-level encryption (see Redis-Findex)
  • a JSON KMIP 2.1 compliant interface
  • support for object tagging to easily manage keys and secrets
  • a full-featured command line interface (CLI)
  • Python, Javascript, Dart, Rust, C/C++ and Java clients (see the cloudproof libraries on Cosmian Github)

It has extensive documentation and is also available packaged as docker images (docker pull ghcr.io/cosmian/kms) to get you started quickly.

The KMS can manage keys and secrets used with a comprehensive list of common (AES, ECIES, ...) and Cosmian advanced cryptographic stacks such as Covercrypt. Keys can be wrapped and unwrapped using ECIES or RFC5649.

Repository content

The server is written in Rust and is broken down into several binaries:

  • A server (cosmian_kms_server) which is the KMS itself
  • A CLI (ckms) to interact with this server

And also some libraries:

  • cosmian_kms_client to query the server
  • cosmian_kms_utils to create KMIP requests for the crypto-systems designed by Cosmian
  • cosmian_kmip which is an implementation of the KMIP standard
  • cosmian_kms_pyo3 a KMS client in Python.

Please refer to the README of the inner directories to have more information.

You can build a docker containing the KMS server as follow:

# Example with auth and https features
docker build . --network=host \
               --build-arg  \
               -t kms

The delivery directory contains all the requirements to proceed with a KMS delivery based on a docker creation.

Find the public documentation of the KMS in the documentation directory.

Build quick start

From the root of the project, on your local machine, for developing:

cargo build --no-default-features
cargo test --no-default-features

Releases

All releases can be found in the public URL package.cosmian.com.

Setup as a Supervisor service

Copy the binary target/release/cosmian_kms to the remote machine folder according to cosmian_kms.ini statement (ie: /usr/sbin/cosmian_kms).

Copy the cosmian_kms.ini config file as /etc/supervisord.d/cosmian_kms.ini in the remote machine.

Run:

supervisorctl reload
supervisorctl start cosmian_kms
supervisorctl status cosmian_kms