Create a default key

Author: huntc

streambed-confidant-cli/README.md

@@ -18,7 +18,7 @@ cargo install streambed-confidant-cli
 ...or build it from this repo:
 
 ```
-cargo build --bin loggconfidanted --release
+cargo build --bin confidant --release
 ```
 
 ...and make a build available on the PATH (only for `cargo build` and just once per shell session):
@@ -27,4 +27,49 @@ cargo build --bin loggconfidanted --release
 export PATH="$PWD/target/release":$PATH
 ```
 
+Before you can use `confidant`, you must provide it with a root secret and a "secret id" (password)
+to authenticate the session. Here's an example with some dummy data:
+
+```
+echo "1800af9b273e4b9ea71ec723426933a4" > /tmp/root-secret
+echo "unused-id" > /tmp/ss-secret-id
+```
+
+We also need to create a directory for `confidant` to read and write its secrets. A security feature
+of the `confidant` library is that the directory must have a permission of `600` for the owner user.
+ACLs should then be used to control access for individual processes. Here's how the directory can be
+created:
+
+```
+mkdir /tmp/confidant
+chmod 700 /tmp/confidant
+```
+
+You would normally source the above secrets from your production system, preferably without
+them leaving your production system.
+
+Given the root secret, encrypt some data :
+
+```
+echo '{"value":"SGkgdGhlcmU="}' | \
+  confidant --root-path=/tmp/confidant encrypt --file - --path="default/my-secret-path"
+```
+
+...which would output:
+
+```
+{"value":"EZy4HLnFC4c/W63Qtp288WWFj8U="}
+```
+
+That value is now encrypted with a salt.
+
+We can also decrypt in a similar fashion:
+
+```
+echo '{"value":"EZy4HLnFC4c/W63Qtp288WWFj8U="}' | \
+  confidant --root-path=/tmp/confidant decrypt --file - --path="default/my-secret-path"
+```
+
+...which will yield the original BASE64 value that we encrypted.
+
 Use `--help` to discover all of the options.

streambed-confidant-cli/src/cryptor.rs

@@ -1,13 +1,15 @@
 use std::{
+    collections::HashMap,
     io::{self, Write},
     time::Duration,
 };
 
+use rand::RngCore;
 use serde_json::Value;
 use streambed::{
     crypto::{self, SALT_SIZE},
     get_secret_value,
-    secret_store::SecretStore,
+    secret_store::{SecretData, SecretStore},
 };
 use tokio::{sync::mpsc::channel, time};
 
@@ -101,6 +103,17 @@ pub async fn encrypt(
     path: &str,
     select: &str,
 ) -> Result<(), Errors> {
+    // As a convenience, we create the secret when encrypting if there
+    // isn't one.
+    if get_secret_value(&ss, path).await.is_none() {
+        let mut key = vec![0; 16];
+        rand::thread_rng().fill_bytes(&mut key);
+        let data = HashMap::from([("value".to_string(), hex::encode(key))]);
+        ss.create_secret(path, SecretData { data })
+            .await
+            .map_err(Errors::SecretStore)?;
+    }
+
     fn process(key: Vec<u8>, mut data_bytes: Vec<u8>) -> Option<Vec<u8>> {
         let salt = crypto::salt(&mut rand::thread_rng());
         crypto::encrypt(&mut data_bytes, &key.try_into().ok()?, &salt);

streambed-confidant-cli/src/main.rs

@@ -119,7 +119,9 @@ struct EncryptCommand {
     #[clap(long, default_value = "value")]
     pub select: String,
 
-    /// The path to the secret e.g. "default/secrets.configurator-events.key"
+    /// The path to the secret e.g. "default/secrets.configurator-events.key".
+    /// NOTE: as a convenience, in the case where the there is no secret at
+    /// this path, then one will be attempted to be created.
     #[clap(long)]
     pub path: String,
 }