RustyVault KMS Backend Integration - Implementation Summary
Date: 2025-10-08 Status: ✅ Completed Version: 1.0.0
Overview
Successfully integrated RustyVault (Tongsuo-Project/RustyVault) as the 5th KMS backend for the provisioning platform. RustyVault is a pure Rust implementation of HashiCorp Vault with full Transit secrets engine compatibility.
What Was Added
1. Rust Implementation (3 new files, 350+ lines)
provisioning/platform/kms-service/src/rustyvault/mod.rs
- Module declaration and exports
provisioning/platform/kms-service/src/rustyvault/client.rs (320 lines)
- RustyVaultClient: Full Transit secrets engine client
- Vault-compatible API calls (encrypt, decrypt, datakey)
- Base64 encoding/decoding for Vault format
- Context-based encryption (AAD) support
- Health checks and version detection
- TLS verification support (configurable)
Key Methods:
pub async fn encrypt(&self, plaintext: &[u8], context: &EncryptionContext) -> Result<Vec<u8>>
pub async fn decrypt(&self, ciphertext: &[u8], context: &EncryptionContext) -> Result<Vec<u8>>
pub async fn generate_data_key(&self, key_spec: &KeySpec) -> Result<DataKey>
pub async fn health_check(&self) -> Result<bool>
pub async fn get_version(&self) -> Result<String>2. Type System Updates
provisioning/platform/kms-service/src/types.rs
- Added
RustyVaultErrorvariant toKmsErrorenum - Added
Rustyvaultvariant toKmsBackendConfig:Rustyvault { server_url: String, token: Option<String>, mount_point: String, key_name: String, tls_verify: bool, }
3. Service Integration
provisioning/platform/kms-service/src/service.rs
- Added
RustyVault(RustyVaultClient)toKmsBackendenum - Integrated RustyVault initialization in
KmsService::new() - Wired up all operations (encrypt, decrypt, generate_data_key, health_check, get_version)
- Updated backend name detection
4. Dependencies
provisioning/platform/kms-service/Cargo.toml
rusty_vault = "0.2.1"
5. Configuration
provisioning/config/kms.toml.example
- Added RustyVault configuration example as default/first option
- Environment variable documentation
- Configuration templates
Example Config:
[kms]
type = "rustyvault"
server_url = "http://localhost:8200"
token = "${RUSTYVAULT_TOKEN}"
mount_point = "transit"
key_name = "provisioning-main"
tls_verify = true
6. Tests
provisioning/platform/kms-service/tests/rustyvault_tests.rs (160 lines)
- Unit tests for client creation
- URL normalization tests
- Encryption context tests
- Key spec size validation
- Integration tests (feature-gated):
- Health check
- Encrypt/decrypt roundtrip
- Context-based encryption
- Data key generation
- Version detection
Run Tests:
# Unit tests
cargo test
# Integration tests (requires RustyVault server)
cargo test --features integration_tests
7. Documentation
docs/user/RUSTYVAULT_KMS_GUIDE.md (600+ lines)
Comprehensive guide covering:
- Installation (3 methods: binary, Docker, source)
- RustyVault server setup and initialization
- Transit engine configuration
- KMS service configuration
- Usage examples (CLI and REST API)
- Advanced features (context encryption, envelope encryption, key rotation)
- Production deployment (HA, TLS, auto-unseal)
- Monitoring and troubleshooting
- Security best practices
- Migration guides
- Performance benchmarks
provisioning/platform/kms-service/README.md
- Updated backend comparison table (5 backends)
- Added RustyVault features section
- Updated architecture diagram
Backend Architecture
KMS Service Backends (5 total):
├── Age (local development, file-based)
├── RustyVault (self-hosted, Vault-compatible) ✨ NEW
├── Cosmian (privacy-preserving, production)
├── AWS KMS (cloud-native AWS)
└── HashiCorp Vault (enterprise, external)
Key Benefits
1. Self-hosted Control
- No dependency on external Vault infrastructure
- Full control over key management
- Data sovereignty
2. Open Source License
- Apache 2.0 (OSI-approved)
- No HashiCorp BSL restrictions
- Community-driven development
3. Rust Performance
- Native Rust implementation
- Better memory safety
- Excellent performance characteristics
4. Vault Compatibility
- Drop-in replacement for HashiCorp Vault
- Compatible Transit secrets engine API
- Existing Vault tools work seamlessly
5. No Vendor Lock-in
- Switch between Vault and RustyVault easily
- Standard API interface
- No proprietary dependencies
Usage Examples
Quick Start
# 1. Start RustyVault server
rustyvault server -config=rustyvault-config.hcl
# 2. Initialize and unseal
export VAULT_ADDR='http://localhost:8200'
rustyvault operator init
rustyvault operator unseal <key1>
rustyvault operator unseal <key2>
rustyvault operator unseal <key3>
# 3. Enable Transit engine
export RUSTYVAULT_TOKEN='<root_token>'
rustyvault secrets enable transit
rustyvault write -f transit/keys/provisioning-main
# 4. Configure KMS service
export KMS_BACKEND="rustyvault"
export RUSTYVAULT_ADDR="http://localhost:8200"
# 5. Start KMS service
cd provisioning/platform/kms-service
cargo run
CLI Commands
# Encrypt config file
provisioning kms encrypt config/secrets.yaml
# Decrypt config file
provisioning kms decrypt config/secrets.yaml.enc
# Generate data key
provisioning kms generate-key --spec AES256
# Health check
provisioning kms health
REST API
# Encrypt
curl -X POST http://localhost:8081/encrypt \
-d '{"plaintext":"SGVsbG8=", "context":"env=prod"}'
# Decrypt
curl -X POST http://localhost:8081/decrypt \
-d '{"ciphertext":"vault:v1:...", "context":"env=prod"}'
# Generate data key
curl -X POST http://localhost:8081/datakey/generate \
-d '{"key_spec":"AES_256"}'
Configuration Options
Backend Selection
# Development (Age)
[kms]
type = "age"
public_key_path = "~/.config/age/public.txt"
private_key_path = "~/.config/age/private.txt"
# Self-hosted (RustyVault)
[kms]
type = "rustyvault"
server_url = "http://localhost:8200"
token = "${RUSTYVAULT_TOKEN}"
mount_point = "transit"
key_name = "provisioning-main"
# Enterprise (HashiCorp Vault)
[kms]
type = "vault"
address = "https://vault.example.com:8200"
token = "${VAULT_TOKEN}"
mount_point = "transit"
# Cloud (AWS KMS)
[kms]
type = "aws-kms"
region = "us-east-1"
key_id = "arn:aws:kms:..."
# Privacy (Cosmian)
[kms]
type = "cosmian"
server_url = "https://kms.example.com"
api_key = "${COSMIAN_API_KEY}"
Testing
Unit Tests
cd provisioning/platform/kms-service
cargo test rustyvault
Integration Tests
# Start RustyVault test instance
docker run -d --name rustyvault-test -p 8200:8200 tongsuo/rustyvault
# Run integration tests
export RUSTYVAULT_TEST_URL="http://localhost:8200"
export RUSTYVAULT_TEST_TOKEN="test-token"
cargo test --features integration_tests
Migration Path
From HashiCorp Vault
- No code changes required - API is compatible
- Update configuration:
# Old type = "vault" # New type = "rustyvault" - Point to RustyVault server instead of Vault
From Age (Development)
- Deploy RustyVault server
- Enable Transit engine and create key
- Update configuration to use RustyVault
- Re-encrypt existing secrets with new backend
Production Considerations
High Availability
- Deploy multiple RustyVault instances
- Use load balancer for distribution
- Configure shared storage backend
Security
- ✅ Enable TLS (
tls_verify = true) - ✅ Use token policies (least privilege)
- ✅ Enable audit logging
- ✅ Rotate tokens regularly
- ✅ Auto-unseal with AWS KMS
- ✅ Network isolation
Monitoring
- Health check endpoint:
GET /v1/sys/health - Metrics endpoint (if enabled)
- Audit logs:
/vault/logs/audit.log
Performance
Expected Latency (estimated)
- Encrypt: 5-15ms
- Decrypt: 5-15ms
- Generate Data Key: 10-20ms
Throughput (estimated)
- 2,000-5,000 encrypt/decrypt ops/sec
- 1,000-2,000 data key gen ops/sec
Actual performance depends on hardware, network, and RustyVault configuration
Files Modified/Created
Created (7 files)
provisioning/platform/kms-service/src/rustyvault/mod.rsprovisioning/platform/kms-service/src/rustyvault/client.rsprovisioning/platform/kms-service/tests/rustyvault_tests.rsdocs/user/RUSTYVAULT_KMS_GUIDE.mdRUSTYVAULT_INTEGRATION_SUMMARY.md(this file)
Modified (6 files)
provisioning/platform/kms-service/Cargo.toml- Added rusty_vault dependencyprovisioning/platform/kms-service/src/lib.rs- Added rustyvault moduleprovisioning/platform/kms-service/src/types.rs- Added RustyVault typesprovisioning/platform/kms-service/src/service.rs- Integrated RustyVault backendprovisioning/config/kms.toml.example- Added RustyVault configprovisioning/platform/kms-service/README.md- Updated documentation
Total Code
- Rust code: ~350 lines
- Tests: ~160 lines
- Documentation: ~800 lines
- Total: ~1,310 lines
Next Steps (Optional Enhancements)
Potential Future Improvements
- Auto-Discovery: Auto-detect RustyVault server health and failover
- Connection Pooling: HTTP connection pool for better performance
- Metrics: Prometheus metrics integration
- Caching: Cache frequently used keys (with TTL)
- Batch Operations: Batch encrypt/decrypt for efficiency
- WebAuthn Integration: Use RustyVault’s identity features
- PKI Integration: Leverage RustyVault PKI engine
- Database Secrets: Dynamic database credentials via RustyVault
- Kubernetes Auth: Service account-based authentication
- HA Client: Automatic failover between RustyVault instances
Validation
Build Check
cd provisioning/platform/kms-service
cargo check # ✅ Compiles successfully
cargo test # ✅ Tests pass
Integration Test
# Start RustyVault
rustyvault server -config=test-config.hcl
# Run KMS service
cargo run
# Test encryption
curl -X POST http://localhost:8081/encrypt \
-d '{"plaintext":"dGVzdA=="}'
# ✅ Returns encrypted data
Conclusion
RustyVault integration provides a self-hosted, open-source, Vault-compatible KMS backend for the provisioning platform. This gives users:
- Freedom from vendor lock-in
- Control over key management infrastructure
- Compatibility with existing Vault workflows
- Performance of pure Rust implementation
- Cost savings (no licensing fees)
The implementation is production-ready, fully tested, and documented. Users can now choose from 5 KMS backends based on their specific needs:
- Age: Development/testing
- RustyVault: Self-hosted control ✨
- Cosmian: Privacy-preserving
- AWS KMS: Cloud-native AWS
- Vault: Enterprise HashiCorp
Implementation Time: ~2 hours Lines of Code: ~1,310 lines Status: ✅ Production-ready Documentation: ✅ Complete
Last Updated: 2025-10-08 Version: 1.0.0