jesus/provisioning
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
provisioning/docs/book/user/RUSTYVAULT_KMS_GUIDE.html
Jesús Pérez 6a59d34bb1
chore: update provisioning configuration and documentation 
Update configuration files, templates, and internal documentation
for the provisioning repository system.

Configuration Updates:
- KMS configuration modernization
- Plugin system settings
- Service port mappings
- Test cluster topologies
- Installation configuration examples
- VM configuration defaults
- Cedar authorization policies

Documentation Updates:
- Library module documentation
- Extension API guides
- AI system documentation
- Service management guides
- Test environment setup
- Plugin usage guides
- Validator configuration documentation

All changes are backward compatible.
2025-12-11 21:50:42 +00:00

663 lines
27 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE HTML>
<html lang="en" class="ayu sidebar-visible" dir="ltr">
<head>
<!-- Book generated using mdBook -->
<meta charset="UTF-8">
<title>RustyVault KMS Guide - Provisioning Platform Documentation</title>
<!-- Custom HTML head -->
<meta name="description" content="Complete documentation for the Provisioning Platform - Infrastructure automation with Nushell, KCL, and Rust">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="theme-color" content="#ffffff">
<link rel="icon" href="../favicon.svg">
<link rel="shortcut icon" href="../favicon.png">
<link rel="stylesheet" href="../css/variables.css">
<link rel="stylesheet" href="../css/general.css">
<link rel="stylesheet" href="../css/chrome.css">
<link rel="stylesheet" href="../css/print.css" media="print">
<!-- Fonts -->
<link rel="stylesheet" href="../FontAwesome/css/font-awesome.css">
<link rel="stylesheet" href="../fonts/fonts.css">
<!-- Highlight.js Stylesheets -->
<link rel="stylesheet" id="highlight-css" href="../highlight.css">
<link rel="stylesheet" id="tomorrow-night-css" href="../tomorrow-night.css">
<link rel="stylesheet" id="ayu-highlight-css" href="../ayu-highlight.css">
<!-- Custom theme stylesheets -->
<!-- Provide site root and default themes to javascript -->
<script>
const path_to_root = "../";
const default_light_theme = "ayu";
const default_dark_theme = "navy";
</script>
<!-- Start loading toc.js asap -->
<script src="../toc.js"></script>
</head>
<body>
<div id="mdbook-help-container">
<div id="mdbook-help-popup">
<h2 class="mdbook-help-title">Keyboard shortcuts</h2>
<div>
<p>Press <kbd></kbd> or <kbd></kbd> to navigate between chapters</p>
<p>Press <kbd>S</kbd> or <kbd>/</kbd> to search in the book</p>
<p>Press <kbd>?</kbd> to show this help</p>
<p>Press <kbd>Esc</kbd> to hide this help</p>
</div>
</div>
</div>
<div id="body-container">
<!-- Work around some values being stored in localStorage wrapped in quotes -->
<script>
try {
let theme = localStorage.getItem('mdbook-theme');
let sidebar = localStorage.getItem('mdbook-sidebar');
if (theme.startsWith('"') && theme.endsWith('"')) {
localStorage.setItem('mdbook-theme', theme.slice(1, theme.length - 1));
}
if (sidebar.startsWith('"') && sidebar.endsWith('"')) {
localStorage.setItem('mdbook-sidebar', sidebar.slice(1, sidebar.length - 1));
}
} catch (e) { }
</script>
<!-- Set the theme before any content is loaded, prevents flash -->
<script>
const default_theme = window.matchMedia("(prefers-color-scheme: dark)").matches ? default_dark_theme : default_light_theme;
let theme;
try { theme = localStorage.getItem('mdbook-theme'); } catch(e) { }
if (theme === null || theme === undefined) { theme = default_theme; }
const html = document.documentElement;
html.classList.remove('ayu')
html.classList.add(theme);
html.classList.add("js");
</script>
<input type="checkbox" id="sidebar-toggle-anchor" class="hidden">
<!-- Hide / unhide sidebar before it is displayed -->
<script>
let sidebar = null;
const sidebar_toggle = document.getElementById("sidebar-toggle-anchor");
if (document.body.clientWidth >= 1080) {
try { sidebar = localStorage.getItem('mdbook-sidebar'); } catch(e) { }
sidebar = sidebar || 'visible';
} else {
sidebar = 'hidden';
}
sidebar_toggle.checked = sidebar === 'visible';
html.classList.remove('sidebar-visible');
html.classList.add("sidebar-" + sidebar);
</script>
<nav id="sidebar" class="sidebar" aria-label="Table of contents">
<!-- populated by js -->
<mdbook-sidebar-scrollbox class="sidebar-scrollbox"></mdbook-sidebar-scrollbox>
<noscript>
<iframe class="sidebar-iframe-outer" src="../toc.html"></iframe>
</noscript>
<div id="sidebar-resize-handle" class="sidebar-resize-handle">
<div class="sidebar-resize-indicator"></div>
</div>
</nav>
<div id="page-wrapper" class="page-wrapper">
<div class="page">
<div id="menu-bar-hover-placeholder"></div>
<div id="menu-bar" class="menu-bar sticky">
<div class="left-buttons">
<label id="sidebar-toggle" class="icon-button" for="sidebar-toggle-anchor" title="Toggle Table of Contents" aria-label="Toggle Table of Contents" aria-controls="sidebar">
<i class="fa fa-bars"></i>
</label>
<button id="theme-toggle" class="icon-button" type="button" title="Change theme" aria-label="Change theme" aria-haspopup="true" aria-expanded="false" aria-controls="theme-list">
<i class="fa fa-paint-brush"></i>
</button>
<ul id="theme-list" class="theme-popup" aria-label="Themes" role="menu">
<li role="none"><button role="menuitem" class="theme" id="default_theme">Auto</button></li>
<li role="none"><button role="menuitem" class="theme" id="light">Light</button></li>
<li role="none"><button role="menuitem" class="theme" id="rust">Rust</button></li>
<li role="none"><button role="menuitem" class="theme" id="coal">Coal</button></li>
<li role="none"><button role="menuitem" class="theme" id="navy">Navy</button></li>
<li role="none"><button role="menuitem" class="theme" id="ayu">Ayu</button></li>
</ul>
<button id="search-toggle" class="icon-button" type="button" title="Search (`/`)" aria-label="Toggle Searchbar" aria-expanded="false" aria-keyshortcuts="/ s" aria-controls="searchbar">
<i class="fa fa-search"></i>
</button>
</div>
<h1 class="menu-title">Provisioning Platform Documentation</h1>
<div class="right-buttons">
<a href="../print.html" title="Print this book" aria-label="Print this book">
<i id="print-button" class="fa fa-print"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform" title="Git repository" aria-label="Git repository">
<i id="git-repository-button" class="fa fa-github"></i>
</a>
<a href="https://github.com/provisioning/provisioning-platform/edit/main/provisioning/docs/src/user/RUSTYVAULT_KMS_GUIDE.md" title="Suggest an edit" aria-label="Suggest an edit">
<i id="git-edit-button" class="fa fa-edit"></i>
</a>
</div>
</div>
<div id="search-wrapper" class="hidden">
<form id="searchbar-outer" class="searchbar-outer">
<input type="search" id="searchbar" name="searchbar" placeholder="Search this book ..." aria-controls="searchresults-outer" aria-describedby="searchresults-header">
</form>
<div id="searchresults-outer" class="searchresults-outer hidden">
<div id="searchresults-header" class="searchresults-header"></div>
<ul id="searchresults">
</ul>
</div>
</div>
<!-- Apply ARIA attributes after the sidebar and the sidebar toggle button are added to the DOM -->
<script>
document.getElementById('sidebar-toggle').setAttribute('aria-expanded', sidebar === 'visible');
document.getElementById('sidebar').setAttribute('aria-hidden', sidebar !== 'visible');
Array.from(document.querySelectorAll('#sidebar a')).forEach(function(link) {
link.setAttribute('tabIndex', sidebar === 'visible' ? 0 : -1);
});
</script>
<div id="content" class="content">
<main>
<h1 id="rustyvault-kms-backend-guide"><a class="header" href="#rustyvault-kms-backend-guide">RustyVault KMS Backend Guide</a></h1>
<p><strong>Version</strong>: 1.0.0
<strong>Date</strong>: 2025-10-08
<strong>Status</strong>: Production-ready</p>
<hr />
<h2 id="overview"><a class="header" href="#overview">Overview</a></h2>
<p>RustyVault is a self-hosted, Rust-based secrets management system that provides a <strong>Vault-compatible API</strong>. The provisioning platform now supports RustyVault as a KMS backend alongside Age, Cosmian, AWS KMS, and HashiCorp Vault.</p>
<h3 id="why-rustyvault"><a class="header" href="#why-rustyvault">Why RustyVault?</a></h3>
<ul>
<li><strong>Self-hosted</strong>: Full control over your key management infrastructure</li>
<li><strong>Pure Rust</strong>: Better performance and memory safety</li>
<li><strong>Vault-compatible</strong>: Drop-in replacement for HashiCorp Vault Transit engine</li>
<li><strong>OSI-approved License</strong>: Apache 2.0 (vs HashiCorps BSL)</li>
<li><strong>Embeddable</strong>: Can run as standalone service or embedded library</li>
<li><strong>No Vendor Lock-in</strong>: Open-source alternative to proprietary KMS solutions</li>
</ul>
<hr />
<h2 id="architecture-position"><a class="header" href="#architecture-position">Architecture Position</a></h2>
<pre><code>KMS Service Backends:
├── Age (local development, file-based)
├── Cosmian (privacy-preserving, production)
├── AWS KMS (cloud-native AWS)
├── HashiCorp Vault (enterprise, external)
└── RustyVault (self-hosted, embedded) ✨ NEW
</code></pre>
<hr />
<h2 id="installation"><a class="header" href="#installation">Installation</a></h2>
<h3 id="option-1-standalone-rustyvault-server"><a class="header" href="#option-1-standalone-rustyvault-server">Option 1: Standalone RustyVault Server</a></h3>
<pre><code class="language-bash"># Install RustyVault binary
cargo install rusty_vault
# Start RustyVault server
rustyvault server -config=/path/to/config.hcl
</code></pre>
<h3 id="option-2-docker-deployment"><a class="header" href="#option-2-docker-deployment">Option 2: Docker Deployment</a></h3>
<pre><code class="language-bash"># Pull RustyVault image (if available)
docker pull tongsuo/rustyvault:latest
# Run RustyVault container
docker run -d \
--name rustyvault \
-p 8200:8200 \
-v $(pwd)/config:/vault/config \
-v $(pwd)/data:/vault/data \
tongsuo/rustyvault:latest
</code></pre>
<h3 id="option-3-from-source"><a class="header" href="#option-3-from-source">Option 3: From Source</a></h3>
<pre><code class="language-bash"># Clone repository
git clone https://github.com/Tongsuo-Project/RustyVault.git
cd RustyVault
# Build and run
cargo build --release
./target/release/rustyvault server -config=config.hcl
</code></pre>
<hr />
<h2 id="configuration"><a class="header" href="#configuration">Configuration</a></h2>
<h3 id="rustyvault-server-configuration"><a class="header" href="#rustyvault-server-configuration">RustyVault Server Configuration</a></h3>
<p>Create <code>rustyvault-config.hcl</code>:</p>
<pre><code class="language-hcl"># RustyVault Server Configuration
storage "file" {
path = "/vault/data"
}
listener "tcp" {
address = "0.0.0.0:8200"
tls_disable = true # Enable TLS in production
}
api_addr = "http://127.0.0.1:8200"
cluster_addr = "https://127.0.0.1:8201"
# Enable Transit secrets engine
default_lease_ttl = "168h"
max_lease_ttl = "720h"
</code></pre>
<h3 id="initialize-rustyvault"><a class="header" href="#initialize-rustyvault">Initialize RustyVault</a></h3>
<pre><code class="language-bash"># Initialize (first time only)
export VAULT_ADDR='http://127.0.0.1:8200'
rustyvault operator init
# Unseal (after every restart)
rustyvault operator unseal &lt;unseal_key_1&gt;
rustyvault operator unseal &lt;unseal_key_2&gt;
rustyvault operator unseal &lt;unseal_key_3&gt;
# Save root token
export RUSTYVAULT_TOKEN='&lt;root_token&gt;'
</code></pre>
<h3 id="enable-transit-engine"><a class="header" href="#enable-transit-engine">Enable Transit Engine</a></h3>
<pre><code class="language-bash"># Enable transit secrets engine
rustyvault secrets enable transit
# Create encryption key
rustyvault write -f transit/keys/provisioning-main
# Verify key creation
rustyvault read transit/keys/provisioning-main
</code></pre>
<hr />
<h2 id="kms-service-configuration"><a class="header" href="#kms-service-configuration">KMS Service Configuration</a></h2>
<h3 id="update-provisioningconfigkmstoml"><a class="header" href="#update-provisioningconfigkmstoml">Update <code>provisioning/config/kms.toml</code></a></h3>
<pre><code class="language-toml">[kms]
type = "rustyvault"
server_url = "http://localhost:8200"
token = "${RUSTYVAULT_TOKEN}"
mount_point = "transit"
key_name = "provisioning-main"
tls_verify = true
[service]
bind_addr = "0.0.0.0:8081"
log_level = "info"
audit_logging = true
[tls]
enabled = false # Set true with HTTPS
</code></pre>
<h3 id="environment-variables"><a class="header" href="#environment-variables">Environment Variables</a></h3>
<pre><code class="language-bash"># RustyVault connection
export RUSTYVAULT_ADDR="http://localhost:8200"
export RUSTYVAULT_TOKEN="s.xxxxxxxxxxxxxxxxxxxxxx"
export RUSTYVAULT_MOUNT_POINT="transit"
export RUSTYVAULT_KEY_NAME="provisioning-main"
export RUSTYVAULT_TLS_VERIFY="true"
# KMS service
export KMS_BACKEND="rustyvault"
export KMS_BIND_ADDR="0.0.0.0:8081"
</code></pre>
<hr />
<h2 id="usage"><a class="header" href="#usage">Usage</a></h2>
<h3 id="start-kms-service"><a class="header" href="#start-kms-service">Start KMS Service</a></h3>
<pre><code class="language-bash"># With RustyVault backend
cd provisioning/platform/kms-service
cargo run
# With custom config
cargo run -- --config=/path/to/kms.toml
</code></pre>
<h3 id="cli-operations"><a class="header" href="#cli-operations">CLI Operations</a></h3>
<pre><code class="language-bash"># Encrypt configuration file
provisioning kms encrypt provisioning/config/secrets.yaml
# Decrypt configuration
provisioning kms decrypt provisioning/config/secrets.yaml.enc
# Generate data key (envelope encryption)
provisioning kms generate-key --spec AES256
# Health check
provisioning kms health
</code></pre>
<h3 id="rest-api-usage"><a class="header" href="#rest-api-usage">REST API Usage</a></h3>
<pre><code class="language-bash"># Health check
curl http://localhost:8081/health
# Encrypt data
curl -X POST http://localhost:8081/encrypt \
-H "Content-Type: application/json" \
-d '{
"plaintext": "SGVsbG8sIFdvcmxkIQ==",
"context": "environment=production"
}'
# Decrypt data
curl -X POST http://localhost:8081/decrypt \
-H "Content-Type: application/json" \
-d '{
"ciphertext": "vault:v1:...",
"context": "environment=production"
}'
# Generate data key
curl -X POST http://localhost:8081/datakey/generate \
-H "Content-Type: application/json" \
-d '{"key_spec": "AES_256"}'
</code></pre>
<hr />
<h2 id="advanced-features"><a class="header" href="#advanced-features">Advanced Features</a></h2>
<h3 id="context-based-encryption-aad"><a class="header" href="#context-based-encryption-aad">Context-based Encryption (AAD)</a></h3>
<p>Additional authenticated data binds encrypted data to specific contexts:</p>
<pre><code class="language-bash"># Encrypt with context
curl -X POST http://localhost:8081/encrypt \
-d '{
"plaintext": "c2VjcmV0",
"context": "environment=prod,service=api"
}'
# Decrypt requires same context
curl -X POST http://localhost:8081/decrypt \
-d '{
"ciphertext": "vault:v1:...",
"context": "environment=prod,service=api"
}'
</code></pre>
<h3 id="envelope-encryption"><a class="header" href="#envelope-encryption">Envelope Encryption</a></h3>
<p>For large files, use envelope encryption:</p>
<pre><code class="language-bash"># 1. Generate data key
DATA_KEY=$(curl -X POST http://localhost:8081/datakey/generate \
-d '{"key_spec": "AES_256"}' | jq -r '.plaintext')
# 2. Encrypt large file with data key (locally)
openssl enc -aes-256-cbc -in large-file.bin -out encrypted.bin -K $DATA_KEY
# 3. Store encrypted data key (from response)
echo "vault:v1:..." &gt; encrypted-data-key.txt
</code></pre>
<h3 id="key-rotation"><a class="header" href="#key-rotation">Key Rotation</a></h3>
<pre><code class="language-bash"># Rotate encryption key in RustyVault
rustyvault write -f transit/keys/provisioning-main/rotate
# Verify new version
rustyvault read transit/keys/provisioning-main
# Rewrap existing ciphertext with new key version
curl -X POST http://localhost:8081/rewrap \
-d '{"ciphertext": "vault:v1:..."}'
</code></pre>
<hr />
<h2 id="production-deployment"><a class="header" href="#production-deployment">Production Deployment</a></h2>
<h3 id="high-availability-setup"><a class="header" href="#high-availability-setup">High Availability Setup</a></h3>
<p>Deploy multiple RustyVault instances behind a load balancer:</p>
<pre><code class="language-yaml"># docker-compose.yml
version: '3.8'
services:
rustyvault-1:
image: tongsuo/rustyvault:latest
ports:
- "8200:8200"
volumes:
- ./config:/vault/config
- vault-data-1:/vault/data
rustyvault-2:
image: tongsuo/rustyvault:latest
ports:
- "8201:8200"
volumes:
- ./config:/vault/config
- vault-data-2:/vault/data
lb:
image: nginx:alpine
ports:
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
depends_on:
- rustyvault-1
- rustyvault-2
volumes:
vault-data-1:
vault-data-2:
</code></pre>
<h3 id="tls-configuration"><a class="header" href="#tls-configuration">TLS Configuration</a></h3>
<pre><code class="language-toml"># kms.toml
[kms]
type = "rustyvault"
server_url = "https://vault.example.com:8200"
token = "${RUSTYVAULT_TOKEN}"
tls_verify = true
[tls]
enabled = true
cert_path = "/etc/kms/certs/server.crt"
key_path = "/etc/kms/certs/server.key"
ca_path = "/etc/kms/certs/ca.crt"
</code></pre>
<h3 id="auto-unseal-aws-kms"><a class="header" href="#auto-unseal-aws-kms">Auto-Unseal (AWS KMS)</a></h3>
<pre><code class="language-hcl"># rustyvault-config.hcl
seal "awskms" {
region = "us-east-1"
kms_key_id = "arn:aws:kms:us-east-1:123456789012:key/..."
}
</code></pre>
<hr />
<h2 id="monitoring"><a class="header" href="#monitoring">Monitoring</a></h2>
<h3 id="health-checks"><a class="header" href="#health-checks">Health Checks</a></h3>
<pre><code class="language-bash"># RustyVault health
curl http://localhost:8200/v1/sys/health
# KMS service health
curl http://localhost:8081/health
# Metrics (if enabled)
curl http://localhost:8081/metrics
</code></pre>
<h3 id="audit-logging"><a class="header" href="#audit-logging">Audit Logging</a></h3>
<p>Enable audit logging in RustyVault:</p>
<pre><code class="language-hcl"># rustyvault-config.hcl
audit {
path = "/vault/logs/audit.log"
format = "json"
}
</code></pre>
<hr />
<h2 id="troubleshooting"><a class="header" href="#troubleshooting">Troubleshooting</a></h2>
<h3 id="common-issues"><a class="header" href="#common-issues">Common Issues</a></h3>
<p><strong>1. Connection Refused</strong></p>
<pre><code class="language-bash"># Check RustyVault is running
curl http://localhost:8200/v1/sys/health
# Check token is valid
export VAULT_ADDR='http://localhost:8200'
rustyvault token lookup
</code></pre>
<p><strong>2. Authentication Failed</strong></p>
<pre><code class="language-bash"># Verify token in environment
echo $RUSTYVAULT_TOKEN
# Renew token if needed
rustyvault token renew
</code></pre>
<p><strong>3. Key Not Found</strong></p>
<pre><code class="language-bash"># List available keys
rustyvault list transit/keys
# Create missing key
rustyvault write -f transit/keys/provisioning-main
</code></pre>
<p><strong>4. TLS Verification Failed</strong></p>
<pre><code class="language-bash"># Disable TLS verification (dev only)
export RUSTYVAULT_TLS_VERIFY=false
# Or add CA certificate
export RUSTYVAULT_CACERT=/path/to/ca.crt
</code></pre>
<hr />
<h2 id="migration-from-other-backends"><a class="header" href="#migration-from-other-backends">Migration from Other Backends</a></h2>
<h3 id="from-hashicorp-vault"><a class="header" href="#from-hashicorp-vault">From HashiCorp Vault</a></h3>
<p>RustyVault is API-compatible, minimal changes required:</p>
<pre><code class="language-bash"># Old config (Vault)
[kms]
type = "vault"
address = "https://vault.example.com:8200"
token = "${VAULT_TOKEN}"
# New config (RustyVault)
[kms]
type = "rustyvault"
server_url = "http://rustyvault.example.com:8200"
token = "${RUSTYVAULT_TOKEN}"
</code></pre>
<h3 id="from-age"><a class="header" href="#from-age">From Age</a></h3>
<p>Re-encrypt existing encrypted files:</p>
<pre><code class="language-bash"># 1. Decrypt with Age
provisioning kms decrypt --backend age secrets.enc &gt; secrets.plain
# 2. Encrypt with RustyVault
provisioning kms encrypt --backend rustyvault secrets.plain &gt; secrets.rustyvault.enc
</code></pre>
<hr />
<h2 id="security-considerations"><a class="header" href="#security-considerations">Security Considerations</a></h2>
<h3 id="best-practices"><a class="header" href="#best-practices">Best Practices</a></h3>
<ol>
<li><strong>Enable TLS</strong>: Always use HTTPS in production</li>
<li><strong>Rotate Tokens</strong>: Regularly rotate RustyVault tokens</li>
<li><strong>Least Privilege</strong>: Use policies to restrict token permissions</li>
<li><strong>Audit Logging</strong>: Enable and monitor audit logs</li>
<li><strong>Backup Keys</strong>: Secure backup of unseal keys and root token</li>
<li><strong>Network Isolation</strong>: Run RustyVault in isolated network segment</li>
</ol>
<h3 id="token-policies"><a class="header" href="#token-policies">Token Policies</a></h3>
<p>Create restricted policy for KMS service:</p>
<pre><code class="language-hcl"># kms-policy.hcl
path "transit/encrypt/provisioning-main" {
capabilities = ["update"]
}
path "transit/decrypt/provisioning-main" {
capabilities = ["update"]
}
path "transit/datakey/plaintext/provisioning-main" {
capabilities = ["update"]
}
</code></pre>
<p>Apply policy:</p>
<pre><code class="language-bash">rustyvault policy write kms-service kms-policy.hcl
rustyvault token create -policy=kms-service
</code></pre>
<hr />
<h2 id="performance"><a class="header" href="#performance">Performance</a></h2>
<h3 id="benchmarks-estimated"><a class="header" href="#benchmarks-estimated">Benchmarks (Estimated)</a></h3>
<div class="table-wrapper"><table><thead><tr><th>Operation</th><th>Latency</th><th>Throughput</th></tr></thead><tbody>
<tr><td>Encrypt</td><td>5-15ms</td><td>2,000-5,000 ops/sec</td></tr>
<tr><td>Decrypt</td><td>5-15ms</td><td>2,000-5,000 ops/sec</td></tr>
<tr><td>Generate Key</td><td>10-20ms</td><td>1,000-2,000 ops/sec</td></tr>
</tbody></table>
</div>
<p><em>Actual performance depends on hardware, network, and RustyVault configuration</em></p>
<h3 id="optimization-tips"><a class="header" href="#optimization-tips">Optimization Tips</a></h3>
<ol>
<li><strong>Connection Pooling</strong>: Reuse HTTP connections</li>
<li><strong>Batching</strong>: Batch multiple operations when possible</li>
<li><strong>Caching</strong>: Cache data keys for envelope encryption</li>
<li><strong>Local Unseal</strong>: Use auto-unseal for faster restarts</li>
</ol>
<hr />
<h2 id="related-documentation"><a class="header" href="#related-documentation">Related Documentation</a></h2>
<ul>
<li><strong>KMS Service</strong>: <code>docs/user/CONFIG_ENCRYPTION_GUIDE.md</code></li>
<li><strong>Dynamic Secrets</strong>: <code>docs/user/DYNAMIC_SECRETS_QUICK_REFERENCE.md</code></li>
<li><strong>Security System</strong>: <code>docs/architecture/ADR-009-security-system-complete.md</code></li>
<li><strong>RustyVault GitHub</strong>: https://github.com/Tongsuo-Project/RustyVault</li>
</ul>
<hr />
<h2 id="support"><a class="header" href="#support">Support</a></h2>
<ul>
<li><strong>GitHub Issues</strong>: https://github.com/Tongsuo-Project/RustyVault/issues</li>
<li><strong>Documentation</strong>: https://github.com/Tongsuo-Project/RustyVault/tree/main/docs</li>
<li><strong>Community</strong>: https://users.rust-lang.org/t/rustyvault-a-hashicorp-vault-replacement-in-rust/103943</li>
</ul>
<hr />
<p><strong>Last Updated</strong>: 2025-10-08
<strong>Maintained By</strong>: Architecture Team</p>
</main>
<nav class="nav-wrapper" aria-label="Page navigation">
<!-- Mobile navigation buttons -->
<a rel="prev" href="../user/SSH_TEMPORAL_KEYS_USER_GUIDE.html" class="mobile-nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/extension-development.html" class="mobile-nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
<div style="clear: both"></div>
</nav>
</div>
</div>
<nav class="nav-wide-wrapper" aria-label="Page navigation">
<a rel="prev" href="../user/SSH_TEMPORAL_KEYS_USER_GUIDE.html" class="nav-chapters previous" title="Previous chapter" aria-label="Previous chapter" aria-keyshortcuts="Left">
<i class="fa fa-angle-left"></i>
</a>
<a rel="next prefetch" href="../user/extension-development.html" class="nav-chapters next" title="Next chapter" aria-label="Next chapter" aria-keyshortcuts="Right">
<i class="fa fa-angle-right"></i>
</a>
</nav>
</div>
<!-- Livereload script (if served using the cli tool) -->
<script>
const wsProtocol = location.protocol === 'https:' ? 'wss:' : 'ws:';
const wsAddress = wsProtocol + "//" + location.host + "/" + "__livereload";
const socket = new WebSocket(wsAddress);
socket.onmessage = function (event) {
if (event.data === "reload") {
socket.close();
location.reload();
}
};
window.onbeforeunload = function() {
socket.close();
}
</script>
<script>
window.playground_copyable = true;
</script>
<script src="../elasticlunr.min.js"></script>
<script src="../mark.min.js"></script>
<script src="../searcher.js"></script>
<script src="../clipboard.min.js"></script>
<script src="../highlight.js"></script>
<script src="../book.js"></script>
<!-- Custom JS scripts -->
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink