secretumvault/CHANGELOG.md

Changelog

All notable changes to SecretumVault will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

Post-Quantum Cryptography (Production-Ready)

• OQS Backend Implementation - Complete production-ready PQC via Open Quantum Safe
  • ML-KEM-768 (NIST FIPS 203) key encapsulation mechanism fully implemented
  • ML-DSA-65 (NIST FIPS 204) digital signatures fully implemented
  • Native OQS type caching for performance optimization
  • NIST compliance verified (1088-byte ciphertext, 32-byte shared secret)
  • Feature flag: oqs and pqc for post-quantum support
  • Hybrid mode (classical + PQC) in development

CLI Implementation

• Command-line interface for vault operations
  • server subcommand - Start vault server with config
  • init subcommand - Initialize vault with Shamir shares
  • unseal subcommand - Unseal vault with key shares
  • status subcommand - Check vault status
  • Config file support via --config flag
  • Feature flag: cli for command-line tools

Examples and Demos

• Added examples/ directory with runnable demos
  • demo.sh - Bash demo script for quick start
  • demo-simple.nu - Nushell simple demo
  • demo-server.nu - Nushell server interaction demo
  • README.md with usage instructions

Configuration

• Enhanced configuration system in src/config/
  • crypto.rs - Cryptographic backend configuration
  • Modular config structure (vault, server, storage, seal, engines)
  • Config validation and error handling
  • Support for svault.toml configuration file in config/ directory
  • Production config example in config/svault.toml.example

Documentation

• Production Status Documentation - Clear PQC production-ready status

  • Updated README.md with production-ready PQC badges
  • "Why SecretumVault?" section with competitive comparison
  • "30-Second Demo" for quick start
  • "Production Status" with backend comparison table
  • "Quick Navigation" for different user personas (Security Teams, Platform Engineers, Compliance Officers)
  • Updated GitHub URL to correct repository (jesuspc/secretumvault)

• Architecture Decision Records (ADRs)

  • docs/architecture/adr/001-post-quantum-cryptography-oqs-implementation.md
  • ADR index in docs/architecture/adr/README.md

• User Guides

  • Expanded docs/user-guide/howto.md with detailed how-to guides
  • CLI usage documentation
  • Unseal procedures and best practices

• Development Guides

  • Updated docs/development/pqc-support.md with OQS implementation details
  • Updated docs/development/build-features.md with feature flag documentation

• Architecture Documentation

  • Enhanced docs/architecture/README.md with PQC architecture
  • Updated docs/README.md with navigation improvements

Secrets Engines

• Transit Engine Enhancements

  • Expanded encryption/decryption operations
  • Key rotation support
  • Multiple algorithm support
  • PQC integration with OQS backend

• PKI Engine Enhancements

  • Certificate generation improvements
  • X.509 certificate handling
  • Root CA and intermediate CA support

API Improvements

• Enhanced API handlers in src/api/handlers.rs

  • Better error handling and responses
  • Request validation improvements
  • Support for new PQC operations

• Server improvements in src/api/server.rs

  • Better routing and middleware integration
  • Health check endpoints
  • Metrics integration

Core Cryptography

• CryptoBackend Trait Extensions in src/crypto/backend.rs

  • Added PQC operations to trait
  • Backend registry improvements
  • Type-safe backend selection

• AWS-LC Backend Updates in src/crypto/aws_lc.rs

  • Experimental PQC support
  • Code cleanup and improvements

• RustCrypto Backend Refactoring in src/crypto/rustcrypto_backend.rs

  • Simplified implementation
  • Better error handling
  • Testing support

Build and Dependencies

• Updated Cargo.toml with new dependencies

  • oqs = "0.10" for production PQC
  • CLI dependencies (clap, etc.)
  • Enhanced feature flags

• Updated Cargo.lock with dependency resolution

Changed

• README.md - Major improvements

  • Added professional badges (Rust version, License, Classical Crypto, PQC status, CI)
  • Restructured with "Why SecretumVault?" positioning
  • Added competitive comparison tables (vs HashiCorp Vault, vs AWS Secrets Manager)
  • Added 30-second demo for quick evaluation
  • Production Status section with clear backend comparison
  • Quick Navigation for different user personas
  • Updated feature descriptions with production status
  • Corrected GitHub repository URL
  • Updated roadmap with completed PQC tasks marked ✅
  • Enhanced feature flags documentation

• Configuration - Better organization

  • Moved config files to config/ directory
  • Improved config structure and validation
  • Better error messages

• Main Entry Point - CLI integration

  • src/main.rs now supports subcommands
  • Better argument parsing
  • Config file loading
  • Improved error handling

• Build System - Feature organization

  • .cargo/config.toml cleanup
  • Better feature flag organization

• Documentation - Comprehensive updates

  • All docs reflect production-ready PQC status
  • Improved navigation and structure
  • Added missing sections

Fixed

• Clippy warnings and linting issues
• Markdown formatting issues in documentation
• Pre-commit hooks configuration
• CI/CD configuration improvements

Security

• Production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65)
• Cryptographic agility through pluggable backends
• NIST PQC standard compliance
• Secure configuration defaults

[0.1.0] - 2024-12-21

Added

• Initial project structure and repository setup
• Core vault architecture with pluggable backends
• Secrets engines: KV, Transit, PKI, Database
• Storage backends: etcd, SurrealDB, PostgreSQL, Filesystem
• Cryptographic backends: OpenSSL, AWS-LC (experimental), RustCrypto (testing)
• Cedar policy-based authorization (ABAC)
• Shamir Secret Sharing for unsealing
• Token-based authentication
• TLS/mTLS support
• Prometheus metrics integration
• Structured logging
• Docker and Docker Compose deployment
• Kubernetes manifests and Helm charts
• Comprehensive documentation structure
• Pre-commit hooks and CI/CD setup
• Branding and logos

Security

• Encryption at rest for all secrets
• Least privilege via Cedar policies
• Audit logging for compliance
• Secure defaults (non-root, read-only filesystem)

---

Release Notes

Unreleased - Post-Quantum Cryptography Production Release

This release marks SecretumVault as the first Rust secrets vault with production-ready post-quantum cryptography. Key highlights:

🔐 Production-Ready PQC:

• ML-KEM-768 and ML-DSA-65 fully implemented via OQS backend
• NIST FIPS 203/204 compliance verified
• One-line config change to enable PQC: crypto_backend = "oqs"
• No code changes needed - cryptographic agility through pluggable backends

🚀 Enhanced Developer Experience:

• CLI for easy vault operations (init, unseal, status, server)
• Runnable examples in examples/ directory
• Comprehensive how-to guides and documentation
• 30-second demo for quick evaluation

📚 Improved Documentation:

• Clear production status with backend comparison
• Competitive positioning vs HashiCorp Vault and AWS Secrets Manager
• Quick navigation for different user personas
• Architecture Decision Records (ADRs) for design decisions

🔧 Better Configuration:

• Modular config structure
• Validation and error handling
• Production config examples

This release positions SecretumVault as the premier choice for organizations deploying post-quantum cryptography today, with production-ready NIST PQC standards, multi-cloud portability, and Rust's memory safety guarantees.

---

Unique Differentiator: Only Rust secrets vault with production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65) available today.