jesus/secretumvault
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
secretumvault/CHANGELOG.md
Jesús Pérez 91eefc86fa
Some checks failed
Rust CI / Security Audit (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (nightly) (push) Has been cancelled
Details
Rust CI / Check + Test + Lint (stable) (push) Has been cancelled
Details
chore: upgrade README and add CHANGELOG with production PQC status 
- Add badges, competitive comparison, and 30-sec demo to README
  - Add Production Status section showing OQS backend is production-ready
  - Mark PQC KEM/signing operations complete in roadmap
  - Fix GitHub URL
  - Create CHANGELOG.md documenting all recent changes

  Positions SecretumVault as first Rust vault with production PQC.
2026-01-21 10:45:44 +00:00

242 lines
8.0 KiB
Markdown
Raw Blame History

# Changelog
All notable changes to SecretumVault will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
## [Unreleased]
### Added
#### Post-Quantum Cryptography (Production-Ready)
- **OQS Backend Implementation** - Complete production-ready PQC via Open Quantum Safe
- ML-KEM-768 (NIST FIPS 203) key encapsulation mechanism fully implemented
- ML-DSA-65 (NIST FIPS 204) digital signatures fully implemented
- Native OQS type caching for performance optimization
- NIST compliance verified (1088-byte ciphertext, 32-byte shared secret)
- Feature flag: `oqs` and `pqc` for post-quantum support
- Hybrid mode (classical + PQC) in development
#### CLI Implementation
- Command-line interface for vault operations
- `server` subcommand - Start vault server with config
- `init` subcommand - Initialize vault with Shamir shares
- `unseal` subcommand - Unseal vault with key shares
- `status` subcommand - Check vault status
- Config file support via `--config` flag
- Feature flag: `cli` for command-line tools
#### Examples and Demos
- Added `examples/` directory with runnable demos
- `demo.sh` - Bash demo script for quick start
- `demo-simple.nu` - Nushell simple demo
- `demo-server.nu` - Nushell server interaction demo
- `README.md` with usage instructions
#### Configuration
- Enhanced configuration system in `src/config/`
- `crypto.rs` - Cryptographic backend configuration
- Modular config structure (vault, server, storage, seal, engines)
- Config validation and error handling
- Support for `svault.toml` configuration file in `config/` directory
- Production config example in `config/svault.toml.example`
#### Documentation
- **Production Status Documentation** - Clear PQC production-ready status
- Updated `README.md` with production-ready PQC badges
- "Why SecretumVault?" section with competitive comparison
- "30-Second Demo" for quick start
- "Production Status" with backend comparison table
- "Quick Navigation" for different user personas (Security Teams, Platform Engineers, Compliance Officers)
- Updated GitHub URL to correct repository (jesuspc/secretumvault)
- **Architecture Decision Records (ADRs)**
- `docs/architecture/adr/001-post-quantum-cryptography-oqs-implementation.md`
- ADR index in `docs/architecture/adr/README.md`
- **User Guides**
- Expanded `docs/user-guide/howto.md` with detailed how-to guides
- CLI usage documentation
- Unseal procedures and best practices
- **Development Guides**
- Updated `docs/development/pqc-support.md` with OQS implementation details
- Updated `docs/development/build-features.md` with feature flag documentation
- **Architecture Documentation**
- Enhanced `docs/architecture/README.md` with PQC architecture
- Updated `docs/README.md` with navigation improvements
#### Secrets Engines
- **Transit Engine Enhancements**
- Expanded encryption/decryption operations
- Key rotation support
- Multiple algorithm support
- PQC integration with OQS backend
- **PKI Engine Enhancements**
- Certificate generation improvements
- X.509 certificate handling
- Root CA and intermediate CA support
#### API Improvements
- Enhanced API handlers in `src/api/handlers.rs`
- Better error handling and responses
- Request validation improvements
- Support for new PQC operations
- Server improvements in `src/api/server.rs`
- Better routing and middleware integration
- Health check endpoints
- Metrics integration
#### Core Cryptography
- **CryptoBackend Trait Extensions** in `src/crypto/backend.rs`
- Added PQC operations to trait
- Backend registry improvements
- Type-safe backend selection
- **AWS-LC Backend Updates** in `src/crypto/aws_lc.rs`
- Experimental PQC support
- Code cleanup and improvements
- **RustCrypto Backend Refactoring** in `src/crypto/rustcrypto_backend.rs`
- Simplified implementation
- Better error handling
- Testing support
#### Build and Dependencies
- Updated `Cargo.toml` with new dependencies
- `oqs = "0.10"` for production PQC
- CLI dependencies (clap, etc.)
- Enhanced feature flags
- Updated `Cargo.lock` with dependency resolution
### Changed
- **README.md** - Major improvements
- Added professional badges (Rust version, License, Classical Crypto, PQC status, CI)
- Restructured with "Why SecretumVault?" positioning
- Added competitive comparison tables (vs HashiCorp Vault, vs AWS Secrets Manager)
- Added 30-second demo for quick evaluation
- Production Status section with clear backend comparison
- Quick Navigation for different user personas
- Updated feature descriptions with production status
- Corrected GitHub repository URL
- Updated roadmap with completed PQC tasks marked ✅
- Enhanced feature flags documentation
- **Configuration** - Better organization
- Moved config files to `config/` directory
- Improved config structure and validation
- Better error messages
- **Main Entry Point** - CLI integration
- `src/main.rs` now supports subcommands
- Better argument parsing
- Config file loading
- Improved error handling
- **Build System** - Feature organization
- `.cargo/config.toml` cleanup
- Better feature flag organization
- **Documentation** - Comprehensive updates
- All docs reflect production-ready PQC status
- Improved navigation and structure
- Added missing sections
### Fixed
- Clippy warnings and linting issues
- Markdown formatting issues in documentation
- Pre-commit hooks configuration
- CI/CD configuration improvements
### Security
- Production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65)
- Cryptographic agility through pluggable backends
- NIST PQC standard compliance
- Secure configuration defaults
## [0.1.0] - 2024-12-21
### Added
- Initial project structure and repository setup
- Core vault architecture with pluggable backends
- Secrets engines: KV, Transit, PKI, Database
- Storage backends: etcd, SurrealDB, PostgreSQL, Filesystem
- Cryptographic backends: OpenSSL, AWS-LC (experimental), RustCrypto (testing)
- Cedar policy-based authorization (ABAC)
- Shamir Secret Sharing for unsealing
- Token-based authentication
- TLS/mTLS support
- Prometheus metrics integration
- Structured logging
- Docker and Docker Compose deployment
- Kubernetes manifests and Helm charts
- Comprehensive documentation structure
- Pre-commit hooks and CI/CD setup
- Branding and logos
### Security
- Encryption at rest for all secrets
- Least privilege via Cedar policies
- Audit logging for compliance
- Secure defaults (non-root, read-only filesystem)
---
## Release Notes
### Unreleased - Post-Quantum Cryptography Production Release
This release marks SecretumVault as the **first Rust secrets vault with production-ready post-quantum cryptography**. Key highlights:
**🔐 Production-Ready PQC:**
- ML-KEM-768 and ML-DSA-65 fully implemented via OQS backend
- NIST FIPS 203/204 compliance verified
- One-line config change to enable PQC: `crypto_backend = "oqs"`
- No code changes needed - cryptographic agility through pluggable backends
**🚀 Enhanced Developer Experience:**
- CLI for easy vault operations (init, unseal, status, server)
- Runnable examples in `examples/` directory
- Comprehensive how-to guides and documentation
- 30-second demo for quick evaluation
**📚 Improved Documentation:**
- Clear production status with backend comparison
- Competitive positioning vs HashiCorp Vault and AWS Secrets Manager
- Quick navigation for different user personas
- Architecture Decision Records (ADRs) for design decisions
**🔧 Better Configuration:**
- Modular config structure
- Validation and error handling
- Production config examples
This release positions SecretumVault as the premier choice for organizations deploying post-quantum cryptography today, with production-ready NIST PQC standards, multi-cloud portability, and Rust's memory safety guarantees.
---
**Unique Differentiator:** Only Rust secrets vault with production-ready post-quantum cryptography (ML-KEM-768, ML-DSA-65) available today.
Reference in New Issue View Git Blame Copy Permalink