local-mini-kms/README.md

# local-mini-kms

Mini-KMS runs local written by Rust

## Build

```shell
cargo build --release [--no-default-features]
```

## Init

New random master key:

```shell
head -c 32 /dev/random | base64
```

## Generate Yubikey encrypted master key

Generate encrypted master key with Yubikey:

```shell
local-mini-kms yubikey-init-master-key --generate-key [--yubikey-challenge *challenge*]
```

## Startup Server

Startup without init:

```shell
local-mini-kms serve
```

Init with Yubikey:

```shell
local-mini-kms serve [--init-encrypted-master-key LKMS:*** [--yubikey-challenge *challenge*]]
```

## Local Client init via SSH

```shell
local-mini-kms cli --init --ssh-remote root@example.com [--read-from-pinentry]
```

## Local Client

```shell
local-mini-kms cli --init
```

```shell
local-mini-kms cli --offline-init
```

```shell
local-mini-kms cli --direct-init --value-base64 wNdr9sZN4**** [--yubikey-challenge *challenge*]
```

```shell
local-mini-kms cli --encrypt --value hello
```

```shell
local-mini-kms cli --decrypt --value LKMS:***
```

```shell
local-mini-kms cli --read --name test
```

```shell
local-mini-kms cli --write --name test --value hello [--force-write] [--comment *comment*]
```

## cURL

Write value:

```shell
curl -X POST http://127.0.0.1:5567/write \
     -H "Content-Type: application/json" \
     -d '{"name":"test","value":{"value":"hello"}}'
```

Read value:

```shell
curl -X POST http://127.0.0.1:5567/read \
     -H "Content-Type: application/json" \
     -d '{"name":"test"}'
```

Generate data key:

```shell
curl -X POST http://127.0.0.1:5567/datakey \
     -H "Content-Type: application/json" \
     -d '{"type":"aes", "spec":"256", "exportable": true, "return_plaintext": true, "name": "key001", "comment": "the comment"}'
```

```shell
xh POST http://127.0.0.1:5567/datakey \
     type=aes \
     spec=256 \
     exportable:=false \
     name=testkey01 \
     comment='this is a test key 01'
```

```shell
xh POST http://127.0.0.1:5567/list type=value name=name limit:=10
```

| Key              | Comment                                              |
|------------------|------------------------------------------------------|
| type             | `aes`                                                |
| spec             | ~~`128`, `192`,~~ `256` if `type` == `aes`           |
| exportable       | <i>[optional]</i> `true` or `false` , default `true` |
| return_plaintext | <i>[optional]</i> `true` or `false`, default `false` |
| name             | <i>[optional]</i> Data key name                      |
| comment          | <i>[optional]</i> Data key comment                   |

Upgrade to v3.2

```sql
ALTER TABLE keys
    ADD COLUMN comment TEXT;
```

## How Local-Mini-KMS init

```text
                  ┌──────────────────────────┐
                  │  Local Mini KMS          │
          Decrypt │  ┌─────────────────────┐ │
┌──────┐ ┌────────┤► │ Master Key          │ │
│ App  │ ◄────────┼┘ └─────────────────────┘ │
└──────┘          │  1. Generate temp keypair│
                  │  Temp Private Key        │6. Decrypt encrypted master key by Private key
                  │  Temp Public Key         │7. Clear Private Key and Public Key
                  │  │                  ▲    │
                  └──┼──────────────────┬────┘
                     │                  │
                     │2.Get Public Key  │5. Write Public Key encrypted master key
                     │                  │
                     ▼                  │

                   3. Decrypt encrypted master key by YubiKey
                   4. Encrypt master key by Public Key
                   ┌┬──────────────┐
                  ┌┼│ YubiKey      │
                  └┼│              │
                   └┴──────────────┘
```