hatter/local-mini-kms
1
1
Fork 0
Code Issues 2 Pull Requests Projects Releases Wiki Activity
Files
6d3a79b701a3e95a041c3703d371c0401fdaec04
local-mini-kms/README.md
Hatter Jiang 6d3a79b701 update readme
2026-03-12 23:38:31 +08:00

4.1 KiB
Raw Blame History

local-mini-kms

Mini-KMS runs local written by Rust

Build

cargo build --release [--no-default-features]

Init

New random master key:

head -c 32 /dev/random | base64

Generate Yubikey encrypted master key

Generate encrypted master key with Yubikey:

local-mini-kms yubikey-init-master-key --generate-key [--yubikey-challenge *challenge*]

Startup Server

Startup without init:

local-mini-kms serve

Init with Yubikey:

local-mini-kms serve [--init-encrypted-master-key LKMS:*** [--yubikey-challenge *challenge*]]

Local Client init via SSH

local-mini-kms cli --init --ssh-remote root@example.com [--read-from-pinentry]

Local Client

local-mini-kms cli --init

local-mini-kms cli --offline-init

local-mini-kms cli --direct-init --value-base64 wNdr9sZN4**** [--yubikey-challenge *challenge*]

local-mini-kms cli --encrypt --value hello

local-mini-kms cli --decrypt --value LKMS:***

local-mini-kms cli --read --name test

local-mini-kms cli --write --name test --value hello [--force-write] [--comment *comment*]

cURL

Write value:

curl -X POST http://127.0.0.1:5567/write \
     -H "Content-Type: application/json" \
     -d '{"name":"test","value":{"value":"hello"}}'

Read value:

curl -X POST http://127.0.0.1:5567/read \
     -H "Content-Type: application/json" \
     -d '{"name":"test"}'

Generate data key:

curl -X POST http://127.0.0.1:5567/datakey \
     -H "Content-Type: application/json" \
     -d '{"type":"aes", "spec":"256", "exportable": true, "return_plaintext": true, "name": "key001", "comment": "the comment"}'

xh POST http://127.0.0.1:5567/datakey \
     type=aes \
     spec=256 \
     exportable:=false \
     name=testkey01 \
     comment='this is a test key 01'

xh POST http://127.0.0.1:5567/list type=value name=name limit:=10
Key Comment
type aes
spec 128, 192, 256 if type == aes
exportable [optional] true or false , default true
return_plaintext [optional] true or false, default false
name [optional] Data key name
comment [optional] Data key comment

Upgrade to v3.2

ALTER TABLE keys
    ADD COLUMN comment TEXT;

How Local-Mini-KMS init

                  ┌──────────────────────────┐
                  │  Local Mini KMS          │
          Decrypt │  ┌─────────────────────┐ │
┌──────┐ ┌────────┤► │ Master Key          │ │
│ App  │ ◄────────┼┘ └─────────────────────┘ │
└──────┘          │  1. Generate temp keypair│
                  │  Temp Private Key        │6. Decrypt encrypted master key by Private key
                  │  Temp Public Key         │7. Clear Private Key and Public Key
                  │  │                  ▲    │
                  └──┼──────────────────┬────┘
                     │                  │
                     │2.Get Public Key  │5. Write Public Key encrypted master key
                     │                  │
                     ▼                  │

                   3. Decrypt encrypted master key by YubiKey
                   4. Encrypt master key by Public Key
                   ┌┬──────────────┐
                  ┌┼│ YubiKey      │
                  └┼│              │
                   └┴──────────────┘
Reference in New Issue View Git Blame Copy Permalink