jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/docs/book/user/RUSTYVAULT_KMS_GUIDE.html

663 lines
27 KiB
HTML
Raw Permalink Normal View History

chore: update provisioning configuration and documentation Update configuration files, templates, and internal documentation for the provisioning repository system. Configuration Updates: - KMS configuration modernization - Plugin system settings - Service port mappings - Test cluster topologies - Installation configuration examples - VM configuration defaults - Cedar authorization policies Documentation Updates: - Library module documentation - Extension API guides - AI system documentation - Service management guides - Test environment setup - Plugin usage guides - Validator configuration documentation All changes are backward compatible.
2025-12-11 21:50:42 +00:00
<!DOCTYPE HTML>
<html lang="en" class="ayu sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>RustyVault KMS Guide - Provisioning Platform Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="Complete documentation for the Provisioning Platform - Infrastructure automation with Nushell, KCL, and Rust">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../";
const default_light_theme = "ayu";
const default_dark_theme = "navy";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="mdbook-help-container">
<div id="mdbook-help-popup">
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
<div>
<p>Press <kbd></kbd> or <kbd></kbd> to navigate between chapters</p>
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
<p>Press <kbd>?</kbd> to show this help</p>
<p>Press <kbd>Esc</kbd> to hide this help</p>
</div>
</div>
</div>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('ayu')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">Provisioning Platform Documentation</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform/edit/main/provisioning/docs/src/user/RUSTYVAULT_KMS_GUIDE.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="rustyvault-kms-backend-guide"><a class="header" href="#rustyvault-kms-backend-guide">RustyVault KMS Backend Guide</a></h1>
<p><strong>Version</strong>: 1.0.0
<strong>Date</strong>: 2025-10-08
<strong>Status</strong>: Production-ready</p>
<hr />
<h2 id="overview"><a class="header" href="#overview">Overview</a></h2>
<p>RustyVault is a self-hosted, Rust-based secrets management system that provides a <strong>Vault-compatible API</strong>. The provisioning platform now supports RustyVault as a KMS backend alongside Age, Cosmian, AWS KMS, and HashiCorp Vault.</p>
<h3 id="why-rustyvault"><a class="header" href="#why-rustyvault">Why RustyVault?</a></h3>
<ul>
<li><strong>Self-hosted</strong>: Full control over your key management infrastructure</li>
<li><strong>Pure Rust</strong>: Better performance and memory safety</li>
<li><strong>Vault-compatible</strong>: Drop-in replacement for HashiCorp Vault Transit engine</li>
<li><strong>OSI-approved License</strong>: Apache 2.0 (vs HashiCorps BSL)</li>
<li><strong>Embeddable</strong>: Can run as standalone service or embedded library</li>
<li><strong>No Vendor Lock-in</strong>: Open-source alternative to proprietary KMS solutions</li>
</ul>
<hr />
<h2 id="architecture-position"><a class="header" href="#architecture-position">Architecture Position</a></h2>
<pre><code>KMS Service Backends:
├── Age (local development, file-based)
├── Cosmian (privacy-preserving, production)
├── AWS KMS (cloud-native AWS)
├── HashiCorp Vault (enterprise, external)
└── RustyVault (self-hosted, embedded) ✨ NEW
</code></pre>
<hr />
<h2 id="installation"><a class="header" href="#installation">Installation</a></h2>
<h3 id="option-1-standalone-rustyvault-server"><a class="header" href="#option-1-standalone-rustyvault-server">Option 1: Standalone RustyVault Server</a></h3>
<pre><code class="language-bash"># Install RustyVault binary
cargo install rusty_vault
# Start RustyVault server
rustyvault server -config=/path/to/config.hcl
</code></pre>
<h3 id="option-2-docker-deployment"><a class="header" href="#option-2-docker-deployment">Option 2: Docker Deployment</a></h3>
<pre><code class="language-bash"># Pull RustyVault image (if available)
docker pull tongsuo/rustyvault:latest
# Run RustyVault container
docker run -d \
--name rustyvault \
-p 8200:8200 \
-v $(pwd)/config:/vault/config \
-v $(pwd)/data:/vault/data \
tongsuo/rustyvault:latest
</code></pre>
<h3 id="option-3-from-source"><a class="header" href="#option-3-from-source">Option 3: From Source</a></h3>
<pre><code class="language-bash"># Clone repository
git clone https://github.com/Tongsuo-Project/RustyVault.git
cd RustyVault
# Build and run
cargo build --release
./target/release/rustyvault server -config=config.hcl
</code></pre>
<hr />
<h2 id="configuration"><a class="header" href="#configuration">Configuration</a></h2>
<h3 id="rustyvault-server-configuration"><a class="header" href="#rustyvault-server-configuration">RustyVault Server Configuration</a></h3>
<p>Create <code>rustyvault-config.hcl</code>:</p>
<pre><code class="language-hcl"># RustyVault Server Configuration
storage "file" {
path = "/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true # Enable TLS in production
}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
# Enable Transit secrets engine
default_lease_ttl = "168h"
max_lease_ttl = "720h"
</code></pre>
<h3 id="initialize-rustyvault"><a class="header" href="#initialize-rustyvault">Initialize RustyVault</a></h3>
<pre><code class="language-bash"># Initialize (first time only)
export VAULT_ADDR='http://127.0.0.1:8200'
rustyvault operator init
# Unseal (after every restart)
rustyvault operator unseal &lt;unseal_key_1&gt;
rustyvault operator unseal &lt;unseal_key_2&gt;
rustyvault operator unseal &lt;unseal_key_3&gt;
# Save root token
export RUSTYVAULT_TOKEN='&lt;root_token&gt;'
</code></pre>
<h3 id="enable-transit-engine"><a class="header" href="#enable-transit-engine">Enable Transit Engine</a></h3>
<pre><code class="language-bash"># Enable transit secrets engine
rustyvault secrets enable transit
# Create encryption key
rustyvault write -f transit/keys/provisioning-main
# Verify key creation
rustyvault read transit/keys/provisioning-main
</code></pre>
<hr />
<h2 id="kms-service-configuration"><a class="header" href="#kms-service-configuration">KMS Service Configuration</a></h2>
<h3 id="update-provisioningconfigkmstoml"><a class="header" href="#update-provisioningconfigkmstoml">Update <code>provisioning/config/kms.toml</code></a></h3>
<pre><code class="language-toml">[kms]
type = "rustyvault"
server_url = "http://localhost:8200"
token = "${RUSTYVAULT_TOKEN}"
mount_point = "transit"
key_name = "provisioning-main"
tls_verify = true
[service]
bind_addr = "0.0.0.0:8081"
log_level = "info"
audit_logging = true
[tls]
enabled = false # Set true with HTTPS
</code></pre>
<h3 id="environment-variables"><a class="header" href="#environment-variables">Environment Variables</a></h3>
<pre><code class="language-bash"># RustyVault connection
export RUSTYVAULT_ADDR="http://localhost:8200"
export RUSTYVAULT_TOKEN="s.xxxxxxxxxxxxxxxxxxxxxx"
export RUSTYVAULT_MOUNT_POINT="transit"
export RUSTYVAULT_KEY_NAME="provisioning-main"
export RUSTYVAULT_TLS_VERIFY="true"
# KMS service
export KMS_BACKEND="rustyvault"
export KMS_BIND_ADDR="0.0.0.0:8081"
</code></pre>
<hr />
<h2 id="usage"><a class="header" href="#usage">Usage</a></h2>
<h3 id="start-kms-service"><a class="header" href="#start-kms-service">Start KMS Service</a></h3>
<pre><code class="language-bash"># With RustyVault backend
cd provisioning/platform/kms-service
cargo run
# With custom config
cargo run -- --config=/path/to/kms.toml
</code></pre>
<h3 id="cli-operations"><a class="header" href="#cli-operations">CLI Operations</a></h3>
<pre><code class="language-bash"># Encrypt configuration file
provisioning kms encrypt provisioning/config/secrets.yaml
# Decrypt configuration
provisioning kms decrypt provisioning/config/secrets.yaml.enc
# Generate data key (envelope encryption)
provisioning kms generate-key --spec AES256
# Health check
provisioning kms health
</code></pre>
<h3 id="rest-api-usage"><a class="header" href="#rest-api-usage">REST API Usage</a></h3>
<pre><code class="language-bash"># Health check
curl http://localhost:8081/health
# Encrypt data
curl -X POST http://localhost:8081/encrypt \
-H "Content-Type: application/json" \
-d '{
"plaintext": "SGVsbG8sIFdvcmxkIQ==",
"context": "environment=production"
}'
# Decrypt data
curl -X POST http://localhost:8081/decrypt \
-H "Content-Type: application/json" \
-d '{
"ciphertext": "vault:v1:...",
"context": "environment=production"
}'
# Generate data key
curl -X POST http://localhost:8081/datakey/generate \
-H "Content-Type: application/json" \
-d '{"key_spec": "AES_256"}'
</code></pre>
<hr />
<h2 id="advanced-features"><a class="header" href="#advanced-features">Advanced Features</a></h2>
<h3 id="context-based-encryption-aad"><a class="header" href="#context-based-encryption-aad">Context-based Encryption (AAD)</a></h3>
<p>Additional authenticated data binds encrypted data to specific contexts:</p>
<pre><code class="language-bash"># Encrypt with context
curl -X POST http://localhost:8081/encrypt \
-d '{
"plaintext": "c2VjcmV0",
"context": "environment=prod,service=api"
}'
# Decrypt requires same context
curl -X POST http://localhost:8081/decrypt \
-d '{
"ciphertext": "vault:v1:...",
"context": "environment=prod,service=api"
}'
</code></pre>
<h3 id="envelope-encryption"><a class="header" href="#envelope-encryption">Envelope Encryption</a></h3>
<p>For large files, use envelope encryption:</p>
<pre><code class="language-bash"># 1. Generate data key
DATA_KEY=$(curl -X POST http://localhost:8081/datakey/generate \
-d '{"key_spec": "AES_256"}' | jq -r '.plaintext')
# 2. Encrypt large file with data key (locally)
openssl enc -aes-256-cbc -in large-file.bin -out encrypted.bin -K $DATA_KEY
# 3. Store encrypted data key (from response)
echo "vault:v1:..." &gt; encrypted-data-key.txt
</code></pre>
<h3 id="key-rotation"><a class="header" href="#key-rotation">Key Rotation</a></h3>
<pre><code class="language-bash"># Rotate encryption key in RustyVault
rustyvault write -f transit/keys/provisioning-main/rotate
# Verify new version
rustyvault read transit/keys/provisioning-main
# Rewrap existing ciphertext with new key version
curl -X POST http://localhost:8081/rewrap \
-d '{"ciphertext": "vault:v1:..."}'
</code></pre>
<hr />
<h2 id="production-deployment"><a class="header" href="#production-deployment">Production Deployment</a></h2>
<h3 id="high-availability-setup"><a class="header" href="#high-availability-setup">High Availability Setup</a></h3>
<p>Deploy multiple RustyVault instances behind a load balancer:</p>
<pre><code class="language-yaml"># docker-compose.yml
version: '3.8'
services:
rustyvault-1:
image: tongsuo/rustyvault:latest
ports:
- "8200:8200"
volumes:
- ./config:/vault/config
- vault-data-1:/vault/data
rustyvault-2:
image: tongsuo/rustyvault:latest
ports:
- "8201:8200"
volumes:
- ./config:/vault/config
- vault-data-2:/vault/data
lb:
image: nginx:alpine
ports:
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
depends_on:
- rustyvault-1
- rustyvault-2
volumes:
vault-data-1:
vault-data-2:
</code></pre>
<h3 id="tls-configuration"><a class="header" href="#tls-configuration">TLS Configuration</a></h3>
<pre><code class="language-toml"># kms.toml
[kms]
type = "rustyvault"
server_url = "https://vault.example.com:8200"
token = "${RUSTYVAULT_TOKEN}"
tls_verify = true
[tls]
enabled = true
cert_path = "/etc/kms/certs/server.crt"
key_path = "/etc/kms/certs/server.key"
ca_path = "/etc/kms/certs/ca.crt"
</code></pre>
<h3 id="auto-unseal-aws-kms"><a class="header" href="#auto-unseal-aws-kms">Auto-Unseal (AWS KMS)</a></h3>
<pre><code class="language-hcl"># rustyvault-config.hcl
seal "awskms" {
region = "us-east-1"
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/..."
}
</code></pre>
<hr />
<h2 id="monitoring"><a class="header" href="#monitoring">Monitoring</a></h2>
<h3 id="health-checks"><a class="header" href="#health-checks">Health Checks</a></h3>
<pre><code class="language-bash"># RustyVault health
curl http://localhost:8200/v1/sys/health
# KMS service health
curl http://localhost:8081/health
# Metrics (if enabled)
curl http://localhost:8081/metrics
</code></pre>
<h3 id="audit-logging"><a class="header" href="#audit-logging">Audit Logging</a></h3>
<p>Enable audit logging in RustyVault:</p>
<pre><code class="language-hcl"># rustyvault-config.hcl
audit {
path = "/vault/logs/audit.log"
format = "json"
}
</code></pre>
<hr />
<h2 id="troubleshooting"><a class="header" href="#troubleshooting">Troubleshooting</a></h2>
<h3 id="common-issues"><a class="header" href="#common-issues">Common Issues</a></h3>
<p><strong>1. Connection Refused</strong></p>
<pre><code class="language-bash"># Check RustyVault is running
curl http://localhost:8200/v1/sys/health
# Check token is valid
export VAULT_ADDR='http://localhost:8200'
rustyvault token lookup
</code></pre>
<p><strong>2. Authentication Failed</strong></p>
<pre><code class="language-bash"># Verify token in environment
echo $RUSTYVAULT_TOKEN
# Renew token if needed
rustyvault token renew
</code></pre>
<p><strong>3. Key Not Found</strong></p>
<pre><code class="language-bash"># List available keys
rustyvault list transit/keys
# Create missing key
rustyvault write -f transit/keys/provisioning-main
</code></pre>
<p><strong>4. TLS Verification Failed</strong></p>
<pre><code class="language-bash"># Disable TLS verification (dev only)
export RUSTYVAULT_TLS_VERIFY=false
# Or add CA certificate
export RUSTYVAULT_CACERT=/path/to/ca.crt
</code></pre>
<hr />
<h2 id="migration-from-other-backends"><a class="header" href="#migration-from-other-backends">Migration from Other Backends</a></h2>
<h3 id="from-hashicorp-vault"><a class="header" href="#from-hashicorp-vault">From HashiCorp Vault</a></h3>
<p>RustyVault is API-compatible, minimal changes required:</p>
<pre><code class="language-bash"># Old config (Vault)
[kms]
type = "vault"
address = "https://vault.example.com:8200"
token = "${VAULT_TOKEN}"
# New config (RustyVault)
[kms]
type = "rustyvault"
server_url = "http://rustyvault.example.com:8200"
token = "${RUSTYVAULT_TOKEN}"
</code></pre>
<h3 id="from-age"><a class="header" href="#from-age">From Age</a></h3>
<p>Re-encrypt existing encrypted files:</p>
<pre><code class="language-bash"># 1. Decrypt with Age
provisioning kms decrypt --backend age secrets.enc &gt; secrets.plain
# 2. Encrypt with RustyVault
provisioning kms encrypt --backend rustyvault secrets.plain &gt; secrets.rustyvault.enc
</code></pre>
<hr />
<h2 id="security-considerations"><a class="header" href="#security-considerations">Security Considerations</a></h2>
<h3 id="best-practices"><a class="header" href="#best-practices">Best Practices</a></h3>
<ol>
<li><strong>Enable TLS</strong>: Always use HTTPS in production</li>
<li><strong>Rotate Tokens</strong>: Regularly rotate RustyVault tokens</li>
<li><strong>Least Privilege</strong>: Use policies to restrict token permissions</li>
<li><strong>Audit Logging</strong>: Enable and monitor audit logs</li>
<li><strong>Backup Keys</strong>: Secure backup of unseal keys and root token</li>
<li><strong>Network Isolation</strong>: Run RustyVault in isolated network segment</li>
</ol>
<h3 id="token-policies"><a class="header" href="#token-policies">Token Policies</a></h3>
<p>Create restricted policy for KMS service:</p>
<pre><code class="language-hcl"># kms-policy.hcl
path "transit/encrypt/provisioning-main" {
capabilities = ["update"]
}
path "transit/decrypt/provisioning-main" {
capabilities = ["update"]
}
path "transit/datakey/plaintext/provisioning-main" {
capabilities = ["update"]
}
</code></pre>
<p>Apply policy:</p>
<pre><code class="language-bash">rustyvault policy write kms-service kms-policy.hcl
rustyvault token create -policy=kms-service
</code></pre>
<hr />
<h2 id="performance"><a class="header" href="#performance">Performance</a></h2>
<h3 id="benchmarks-estimated"><a class="header" href="#benchmarks-estimated">Benchmarks (Estimated)</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Operation</th><th>Latency</th><th>Throughput</th></tr></thead><tbody>
<tr><td>Encrypt</td><td>5-15ms</td><td>2,000-5,000 ops/sec</td></tr>
<tr><td>Decrypt</td><td>5-15ms</td><td>2,000-5,000 ops/sec</td></tr>
<tr><td>Generate Key</td><td>10-20ms</td><td>1,000-2,000 ops/sec</td></tr>
</tbody></table>
</div>
<p><em>Actual performance depends on hardware, network, and RustyVault configuration</em></p>
<h3 id="optimization-tips"><a class="header" href="#optimization-tips">Optimization Tips</a></h3>
<ol>
<li><strong>Connection Pooling</strong>: Reuse HTTP connections</li>
<li><strong>Batching</strong>: Batch multiple operations when possible</li>
<li><strong>Caching</strong>: Cache data keys for envelope encryption</li>
<li><strong>Local Unseal</strong>: Use auto-unseal for faster restarts</li>
</ol>
<hr />
<h2 id="related-documentation"><a class="header" href="#related-documentation">Related Documentation</a></h2>
<ul>
<li><strong>KMS Service</strong>: <code>docs/user/CONFIG_ENCRYPTION_GUIDE.md</code></li>
<li><strong>Dynamic Secrets</strong>: <code>docs/user/DYNAMIC_SECRETS_QUICK_REFERENCE.md</code></li>
<li><strong>Security System</strong>: <code>docs/architecture/ADR-009-security-system-complete.md</code></li>
<li><strong>RustyVault GitHub</strong>: https://github.com/Tongsuo-Project/RustyVault</li>
</ul>
<hr />
<h2 id="support"><a class="header" href="#support">Support</a></h2>
<ul>
<li><strong>GitHub Issues</strong>: https://github.com/Tongsuo-Project/RustyVault/issues</li>
<li><strong>Documentation</strong>: https://github.com/Tongsuo-Project/RustyVault/tree/main/docs</li>
<li><strong>Community</strong>: https://users.rust-lang.org/t/rustyvault-a-hashicorp-vault-replacement-in-rust/103943</li>
</ul>
<hr />
<p><strong>Last Updated</strong>: 2025-10-08
<strong>Maintained By</strong>: Architecture Team</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../user/SSH_TEMPORAL_KEYS_USER_GUIDE.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/extension-development.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../user/SSH_TEMPORAL_KEYS_USER_GUIDE.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/extension-development.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<!-- Livereload script (if served using the cli tool) -->
<script>
const wsProtocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
const wsAddress = wsProtocol + "//" + location.host + "/" + "__livereload";
const socket = new WebSocket(wsAddress);
socket.onmessage = function (event) {
if (event.data === "reload") {
socket.close();
location.reload();
}
};
window.onbeforeunload = function() {
socket.close();
}
</script>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Reference in New Issue Copy Permalink