Jesús Pérez 46fc83d000

chore: reorganization compliance: layout_conventions

2025-12-26 15:13:36 +00:00

36 KiB

Raw Blame History

SecretumVault - Complete Post-Quantum Secrets Management System

Version: 3.0
Date: 2025-12-21
Author: Jesús Pérez (Kit Digital / Rust Las Palmas)
Project Name: secretumvault or svault

Executive Summary

SecretumVault es un sistema completo de gestión de secretos con:

✅ Post-Quantum Crypto desde el diseño (no retrofitted)
✅ Secrets Management completo (KV, dynamic, transit)
✅ Cedar Policies (modern authorization, no ACL legacy)
✅ Multi-Backend Crypto (aws-lc-rs, RustCrypto, Tongsuo)
✅ Encryption as a Service (EaaS)
✅ Storage Flexible (SurrealDB, filesystem, etcd)
✅ API Compatible con HashiCorp Vault (migration path)
✅ Rust Native (memory safe, high performance)

NO es:

❌ NO tiene auth complejo (OIDC, LDAP) - solo lo esencial
❌ NO tiene ACL legacy - usa Cedar policies
❌ NO compite con Enterprise Vault features

Es ideal para:

✅ Kit Digital projects (PYMES españolas)
✅ Aplicaciones que necesitan PQC ahora
✅ Infraestructura moderna (Kubernetes, SurrealDB)
✅ Compliance NIS2 + post-quantum readiness

Core Concepts
Architecture
Secrets Engines
Authorization with Cedar
Crypto Backends
Storage Backends
API Design
Deployment Modes
Integration Examples
Implementation Roadmap

Core Concepts

What is SecretumVault?

SecretumVault = Secrets Manager + Encryption Service + Key Management
             + Cedar Policies + Post-Quantum Crypto

Key Features

Secrets Management
- Key/Value secrets (static)
- Dynamic secrets (database, cloud)
- Transit encryption (EaaS)
- SSH/TLS certificate generation
Post-Quantum Ready
- ML-KEM for key encapsulation
- ML-DSA for signatures
- Hybrid modes (classical + PQC)
- Future-proof key rotation
Modern Authorization
- Cedar policy language (AWS open-source)
- Attribute-based access control (ABAC)
- No legacy ACL complexity
- Policy-as-Code
High Performance
- Rust native (no GC pauses)
- Async/await throughout
- Optimized crypto backends
- Efficient storage

Architecture

┌─────────────────────────────────────────────────────────────────┐
│                      CLIENT LAYER                               │
├─────────────────────────────────────────────────────────────────┤
│  REST API  │  CLI  │  Rust SDK  │  Language SDKs (future)       │
└──────┬──────────────────────────────────────────────────────────┘
       │
┌──────▼──────────────────────────────────────────────────────────┐
│                   QUANTUMVAULT CORE                             │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  ┌─────────────┐  ┌──────────────┐  ┌──────────────────────┐  │
│  │   Request   │  │ Auth/Policy  │  │   Secrets Router     │  │
│  │   Handler   │→ │   Engine     │→ │   (Path-based)       │  │
│  └─────────────┘  └──────────────┘  └──────────────────────┘  │
│                         │                      │                │
│                         ↓                      ↓                │
│              ┌──────────────────┐   ┌────────────────────┐     │
│              │  Cedar Policies  │   │  Secrets Engines   │     │
│              │  (Authorization) │   │  (KV, Transit,     │     │
│              └──────────────────┘   │   Dynamic, PKI)    │     │
│                                     └────────────────────┘     │
│                                              │                  │
└──────────────────────────────────────────────┼──────────────────┘
                                               │
       ┌───────────────────────────────────────┼───────────────┐
       │                                       │               │
┌──────▼────────┐  ┌──────────────▼──────┐  ┌▼──────────────┐ │
│ Crypto Layer  │  │  Storage Layer      │  │  Seal/Unseal  │ │
├───────────────┤  ├─────────────────────┤  ├───────────────┤ │
│ • aws-lc-rs   │  │ • SurrealDB         │  │ • Master Key  │ │
│ • RustCrypto  │  │ • Filesystem        │  │ • Shamir SSS  │ │
│ • Tongsuo     │  │ • etcd/Consul       │  │ • Auto-unseal │ │
│ • OpenSSL     │  │ • PostgreSQL        │  │   (KMS)       │ │
└───────────────┘  └─────────────────────┘  └───────────────┘ │
                                                                │
└────────────────────────────────────────────────────────────────┘

Secrets Engines

SecretumVault soporta múltiples "engines" montados en paths:

1. KV Engine (Key-Value Secrets)

Path: secret/

// API
POST   /v1/secret/data/myapp/database    # Write secret
GET    /v1/secret/data/myapp/database    # Read secret
DELETE /v1/secret/data/myapp/database    # Delete secret
GET    /v1/secret/metadata/myapp/database # Get metadata

Implementación:

pub struct KVEngine {
    storage: Arc<dyn StorageBackend>,
    versioned: bool, // KV v1 o v2
}

#[derive(Serialize, Deserialize)]
pub struct SecretData {
    pub data: HashMap<String, serde_json::Value>,
    pub metadata: SecretMetadata,
}

#[derive(Serialize, Deserialize)]
pub struct SecretMetadata {
    pub version: u64,
    pub created_at: DateTime<Utc>,
    pub updated_at: DateTime<Utc>,
    pub deleted: bool,
    pub destroyed: bool,
}

impl SecretsEngine for KVEngine {
    async fn write(
        &self,
        path: &str,
        data: HashMap<String, serde_json::Value>,
    ) -> Result<SecretMetadata> {
        let mut metadata = SecretMetadata {
            version: self.get_next_version(path).await?,
            created_at: Utc::now(),
            updated_at: Utc::now(),
            deleted: false,
            destroyed: false,
        };
        
        let secret = SecretData { data, metadata: metadata.clone() };
        
        // Encrypt data before storing
        let encrypted = self.encrypt_secret(&secret).await?;
        
        self.storage.store_secret(path, &encrypted).await?;
        
        Ok(metadata)
    }
    
    async fn read(&self, path: &str) -> Result<SecretData> {
        let encrypted = self.storage.get_secret(path).await?;
        let secret = self.decrypt_secret(&encrypted).await?;
        
        if secret.metadata.deleted {
            return Err(Error::SecretDeleted);
        }
        
        Ok(secret)
    }
}

2. Transit Engine (Encryption as a Service)

Path: transit/

Permite a aplicaciones cifrar/descifrar datos sin manejar claves directamente.

// API
POST /v1/transit/encrypt/my-key    # Encrypt data
POST /v1/transit/decrypt/my-key    # Decrypt data
POST /v1/transit/sign/my-key       # Sign data (PQC)
POST /v1/transit/verify/my-key     # Verify signature
POST /v1/transit/rewrap/my-key     # Re-encrypt with new key version

Implementación:

pub struct TransitEngine {
    crypto: Arc<dyn CryptoBackend>,
    key_manager: Arc<KeyManager>,
}

#[derive(Deserialize)]
pub struct EncryptRequest {
    pub plaintext: String, // Base64
    pub context: Option<String>, // Additional authenticated data
}

#[derive(Serialize)]
pub struct EncryptResponse {
    pub ciphertext: String, // vault:v1:base64ciphertext
}

impl SecretsEngine for TransitEngine {
    async fn handle_encrypt(
        &self,
        key_name: &str,
        req: EncryptRequest,
    ) -> Result<EncryptResponse> {
        // 1. Decode plaintext
        let plaintext = base64::decode(&req.plaintext)?;
        
        // 2. Get encryption key (latest version)
        let key = self.key_manager.get_key(key_name).await?;
        
        // 3. Encrypt with crypto backend
        let ciphertext = match key.algorithm {
            KeyAlgorithm::Aes256Gcm => {
                self.crypto.encrypt_symmetric(&key.key_data, &plaintext, SymmetricAlgorithm::Aes256Gcm)?
            }
            KeyAlgorithm::ChaCha20Poly1305 => {
                self.crypto.encrypt_symmetric(&key.key_data, &plaintext, SymmetricAlgorithm::ChaCha20Poly1305)?
            }
            _ => return Err(Error::InvalidAlgorithm),
        };
        
        // 4. Format response (Vault-compatible)
        let encoded = format!(
            "vault:v{}:{}",
            key.version,
            base64::encode(&ciphertext)
        );
        
        Ok(EncryptResponse {
            ciphertext: encoded,
        })
    }
    
    async fn handle_sign(
        &self,
        key_name: &str,
        data: &[u8],
    ) -> Result<String> {
        let key = self.key_manager.get_key(key_name).await?;
        
        // Firmar con PQC (ML-DSA)
        let signature = self.crypto.sign(&key.private_key, data)?;
        
        Ok(format!(
            "vault:v{}:{}",
            key.version,
            base64::encode(&signature)
        ))
    }
}

3. PKI Engine (Certificate Authority)

Path: pki/

Genera certificados X.509 (RSA/ECDSA tradicional + PQC experimental).

pub struct PKIEngine {
    crypto: Arc<dyn CryptoBackend>,
    ca_bundle: Option<CABundle>,
}

#[derive(Deserialize)]
pub struct IssueCertRequest {
    pub common_name: String,
    pub alt_names: Vec<String>,
    pub ttl: String, // e.g., "720h"
    pub algorithm: CertAlgorithm, // RSA2048, ECDSA256, ML-DSA-65
}

impl SecretsEngine for PKIEngine {
    async fn issue_cert(&self, req: IssueCertRequest) -> Result<Certificate> {
        // 1. Generate keypair
        let keypair = self.crypto.generate_keypair(
            req.algorithm.to_key_algorithm()
        )?;
        
        // 2. Create CSR
        let csr = create_csr(&keypair, &req.common_name, &req.alt_names)?;
        
        // 3. Sign with CA
        let cert = self.ca_bundle
            .as_ref()
            .ok_or(Error::NoCAConfigured)?
            .sign_csr(&csr, parse_duration(&req.ttl)?)?;
        
        Ok(cert)
    }
}

4. Dynamic Secrets Engine

Path: database/, aws/, gcp/

Genera credenciales dinámicas on-demand.

pub struct DatabaseEngine {
    connections: HashMap<String, DatabaseConnection>,
}

#[derive(Deserialize)]
pub struct GetCredsRequest {
    pub role: String, // e.g., "readonly", "admin"
}

#[derive(Serialize)]
pub struct DatabaseCreds {
    pub username: String,
    pub password: String,
    pub lease_duration: u64, // seconds
}

impl SecretsEngine for DatabaseEngine {
    async fn get_credentials(
        &self,
        role: &str,
    ) -> Result<DatabaseCreds> {
        let role_config = self.get_role_config(role).await?;
        
        // Generate random username/password
        let username = format!("v-{}-{}", role, generate_id());
        let password = generate_secure_password(32);
        
        // Create user in database
        let db = self.connections.get(&role_config.connection)
            .ok_or(Error::ConnectionNotFound)?;
        
        db.execute(&format!(
            "CREATE USER '{}' IDENTIFIED BY '{}';",
            username, password
        )).await?;
        
        // Grant permissions
        for stmt in &role_config.creation_statements {
            db.execute(stmt).await?;
        }
        
        // Schedule revocation
        self.schedule_revocation(&username, role_config.ttl).await?;
        
        Ok(DatabaseCreds {
            username,
            password,
            lease_duration: role_config.ttl.as_secs(),
        })
    }
}

Authorization with Cedar

En lugar de ACL tradicional, usamos Cedar (AWS open-source policy language).

Cedar Overview

Cedar es:

✅ Expresivo y declarativo
✅ Verificable formalmente
✅ Policy-as-Code
✅ Usado por AWS (AVP)

Policy Example

Archivo: policies/allow-read-secrets.cedar

// Permitir a developers leer secrets de su proyecto
permit(
    principal in Group::"developers",
    action == Action::"read",
    resource in Project::"kit-digital"
)
when {
    context.environment == "development" ||
    context.environment == "staging"
};

// Permitir a CI/CD leer solo secrets de deployment
permit(
    principal == ServiceAccount::"github-actions",
    action in [Action::"read", Action::"encrypt"],
    resource in Path::"secret/deployments/*"
)
when {
    context.ip_address in [
        "192.30.252.0/22",  // GitHub Actions IPs
        "185.199.108.0/22"
    ]
};

// Permitir a admins todo
permit(
    principal in Group::"admins",
    action,
    resource
);

// Denegar escritura a production desde dev environments
forbid(
    principal,
    action in [Action::"write", Action::"delete"],
    resource in Path::"secret/production/*"
)
when {
    context.environment != "production"
};

Cedar Integration

Archivo: src/auth/cedar.rs

use cedar_policy::{Authorizer, Context, Entities, PolicySet, Request};

pub struct CedarAuthz {
    authorizer: Authorizer,
    policies: PolicySet,
    entities: Entities,
}

impl CedarAuthz {
    pub fn from_files(policy_dir: &str) -> Result<Self> {
        let policies = load_policies_from_dir(policy_dir)?;
        let entities = load_entities()?; // Groups, users, etc.
        
        Ok(Self {
            authorizer: Authorizer::new(),
            policies,
            entities,
        })
    }
    
    pub fn is_authorized(
        &self,
        principal: &str,
        action: &str,
        resource: &str,
        context: RequestContext,
    ) -> Result<bool> {
        let request = Request::new(
            Some(principal.parse()?),
            Some(action.parse()?),
            Some(resource.parse()?),
            Context::from_json_value(serde_json::to_value(context)?)?,
        )?;
        
        let response = self.authorizer.is_authorized(
            &request,
            &self.policies,
            &self.entities,
        );
        
        Ok(response.decision() == cedar_policy::Decision::Allow)
    }
}

#[derive(Serialize)]
pub struct RequestContext {
    pub environment: String,
    pub ip_address: String,
    pub timestamp: i64,
    pub mfa_verified: bool,
}

// Integración con Vault
impl Vault {
    async fn handle_request(
        &self,
        req: VaultRequest,
        auth_token: &str,
    ) -> Result<VaultResponse> {
        // 1. Validate token
        let principal = self.auth.validate_token(auth_token).await?;
        
        // 2. Build context
        let context = RequestContext {
            environment: req.headers.get("X-Vault-Environment")
                .unwrap_or("unknown").to_string(),
            ip_address: req.remote_addr.to_string(),
            timestamp: Utc::now().timestamp(),
            mfa_verified: self.auth.is_mfa_verified(&principal).await?,
        };
        
        // 3. Authorize with Cedar
        let authorized = self.cedar.is_authorized(
            &principal.id,
            &req.operation, // "read", "write", "delete"
            &req.path,      // "secret/production/db"
            context,
        )?;
        
        if !authorized {
            return Err(Error::PermissionDenied);
        }
        
        // 4. Route to appropriate engine
        self.route_request(req).await
    }
}

Entities Definition

Archivo: entities.json

[
  {
    "uid": {"type": "User", "id": "alice"},
    "attrs": {
      "email": "alice@example.com",
      "groups": ["developers", "admins"]
    },
    "parents": [
      {"type": "Group", "id": "developers"},
      {"type": "Group", "id": "admins"}
    ]
  },
  {
    "uid": {"type": "ServiceAccount", "id": "github-actions"},
    "attrs": {
      "type": "ci-cd",
      "trusted": true
    }
  },
  {
    "uid": {"type": "Group", "id": "developers"},
    "attrs": {},
    "parents": []
  }
]

Crypto Backends

Backend Interface (ya definido anteriormente)

pub trait CryptoBackend: Debug + Send + Sync {
    fn backend_type(&self) -> BackendType;
    
    // Asymmetric
    fn generate_keypair(&self, algorithm: KeyAlgorithm) -> Result<KeyPair>;
    fn sign(&self, key: &PrivateKey, data: &[u8]) -> Result<Vec<u8>>;
    fn verify(&self, key: &PublicKey, data: &[u8], sig: &[u8]) -> Result<bool>;
    
    // Symmetric
    fn encrypt_symmetric(&self, key: &[u8], data: &[u8], alg: SymmetricAlgorithm) -> Result<Vec<u8>>;
    fn decrypt_symmetric(&self, key: &[u8], data: &[u8], alg: SymmetricAlgorithm) -> Result<Vec<u8>>;
    
    // KEM (for PQC)
    fn kem_encapsulate(&self, key: &PublicKey) -> Result<(Vec<u8>, Vec<u8>)>;
    fn kem_decapsulate(&self, key: &PrivateKey, ct: &[u8]) -> Result<Vec<u8>>;
    
    // Random
    fn random_bytes(&self, len: usize) -> Result<Vec<u8>>;
}

Hybrid Crypto Mode

Para defense-in-depth, soportar hybrid:

pub struct HybridBackend {
    classical: Arc<dyn CryptoBackend>, // OpenSSL/aws-lc (RSA/ECDSA)
    pqc: Arc<dyn CryptoBackend>,       // aws-lc-rs (ML-KEM/ML-DSA)
}

impl CryptoBackend for HybridBackend {
    fn kem_encapsulate(&self, key: &PublicKey) -> Result<(Vec<u8>, Vec<u8>)> {
        // Encapsulate with both
        let (ct_classical, ss_classical) = self.classical.kem_encapsulate(key)?;
        let (ct_pqc, ss_pqc) = self.pqc.kem_encapsulate(key)?;
        
        // Combine ciphertexts
        let combined_ct = [ct_classical, ct_pqc].concat();
        
        // Derive shared secret from both using KDF
        let combined_ss = kdf_combine(&ss_classical, &ss_pqc)?;
        
        Ok((combined_ct, combined_ss))
    }
}

Storage Backends

Storage Trait

#[async_trait]
pub trait StorageBackend: Debug + Send + Sync {
    // Secrets
    async fn store_secret(&self, path: &str, data: &EncryptedData) -> Result<()>;
    async fn get_secret(&self, path: &str) -> Result<EncryptedData>;
    async fn delete_secret(&self, path: &str) -> Result<()>;
    async fn list_secrets(&self, prefix: &str) -> Result<Vec<String>>;
    
    // Keys
    async fn store_key(&self, key: &StoredKey) -> Result<()>;
    async fn get_key(&self, key_id: &str) -> Result<StoredKey>;
    
    // Policies
    async fn store_policy(&self, name: &str, policy: &str) -> Result<()>;
    async fn get_policy(&self, name: &str) -> Result<String>;
    async fn list_policies(&self) -> Result<Vec<String>>;
    
    // Leases (for dynamic secrets)
    async fn store_lease(&self, lease: &Lease) -> Result<()>;
    async fn get_lease(&self, lease_id: &str) -> Result<Lease>;
    async fn delete_lease(&self, lease_id: &str) -> Result<()>;
    async fn list_expiring_leases(&self, before: DateTime<Utc>) -> Result<Vec<Lease>>;
}

SurrealDB Implementation

pub struct SurrealDBBackend {
    db: Surreal<Client>,
}

#[async_trait]
impl StorageBackend for SurrealDBBackend {
    async fn store_secret(&self, path: &str, data: &EncryptedData) -> Result<()> {
        let record = SecretRecord {
            path: path.to_string(),
            data: data.clone(),
            created_at: Utc::now(),
            updated_at: Utc::now(),
        };
        
        let _: Option<SecretRecord> = self.db
            .create(("secrets", path))
            .content(record)
            .await?;
        
        Ok(())
    }
    
    async fn list_expiring_leases(&self, before: DateTime<Utc>) -> Result<Vec<Lease>> {
        let leases: Vec<Lease> = self.db
            .query("SELECT * FROM leases WHERE expires_at <= $before")
            .bind(("before", before))
            .await?
            .take(0)?;
        
        Ok(leases)
    }
}

API Design

Vault-Compatible REST API

// Core paths
GET    /v1/sys/health              // Health check
POST   /v1/sys/init                // Initialize vault
POST   /v1/sys/unseal              // Unseal vault
POST   /v1/sys/seal                // Seal vault
GET    /v1/sys/seal-status         // Get seal status

// Auth
POST   /v1/auth/token/create       // Create token
POST   /v1/auth/token/revoke       // Revoke token
POST   /v1/auth/token/lookup       // Lookup token

// Secrets (KV)
GET    /v1/secret/data/:path       // Read secret
POST   /v1/secret/data/:path       // Write secret
DELETE /v1/secret/data/:path       // Delete secret
GET    /v1/secret/metadata/:path   // Get metadata
LIST   /v1/secret/metadata/:path   // List secrets

// Transit (EaaS)
POST   /v1/transit/encrypt/:key    // Encrypt data
POST   /v1/transit/decrypt/:key    // Decrypt data
POST   /v1/transit/sign/:key       // Sign data (PQC)
POST   /v1/transit/verify/:key     // Verify signature
POST   /v1/transit/keys/:key       // Create key
POST   /v1/transit/keys/:key/rotate // Rotate key

// PKI
POST   /v1/pki/root/generate       // Generate root CA
POST   /v1/pki/issue/:role         // Issue certificate
POST   /v1/pki/revoke              // Revoke certificate

// Database (Dynamic)
GET    /v1/database/creds/:role    // Get dynamic creds
POST   /v1/database/config/:name   // Configure connection

// Policies (Cedar)
GET    /v1/sys/policies            // List policies
GET    /v1/sys/policy/:name        // Read policy
PUT    /v1/sys/policy/:name        // Write policy
DELETE /v1/sys/policy/:name        // Delete policy

Request/Response Format

#[derive(Serialize, Deserialize)]
pub struct VaultRequest {
    pub path: String,
    pub operation: Operation, // Read, Write, Delete, List
    pub data: Option<serde_json::Value>,
    pub headers: HashMap<String, String>,
}

#[derive(Serialize, Deserialize)]
pub struct VaultResponse {
    pub request_id: String,
    pub lease_id: Option<String>,
    pub renewable: bool,
    pub lease_duration: u64,
    pub data: Option<serde_json::Value>,
    pub warnings: Vec<String>,
    pub auth: Option<AuthInfo>,
}

Deployment Modes

1. Standalone Server

# Start server
svault server --config svault.toml

# Initialize
svault operator init

# Unseal
svault operator unseal <key>

2. Kubernetes Deployment

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: secretumvault
spec:
  serviceName: secretumvault
  replicas: 3
  selector:
    matchLabels:
      app: secretumvault
  template:
    metadata:
      labels:
        app: secretumvault
    spec:
      containers:
      - name: vault
        image: secretumvault:latest
        ports:
        - containerPort: 8200
          name: api
        env:
        - name: QVAULT_BACKEND
          value: "aws-lc"
        - name: QVAULT_STORAGE
          value: "surrealdb"
        volumeMounts:
        - name: config
          mountPath: /etc/secretumvault
        - name: data
          mountPath: /var/secretumvault
  volumeClaimTemplates:
  - metadata:
      name: data
    spec:
      accessModes: ["ReadWriteOnce"]
      resources:
        requests:
          storage: 10Gi

3. Library Mode (Embedded)

// En tu aplicación
use secretumvault::{Vault, VaultConfig};

#[tokio::main]
async fn main() -> Result<()> {
    let config = VaultConfig::builder()
        .crypto_backend(BackendType::AwsLc)
        .storage_backend(StorageType::SurrealDB)
        .build()?;
    
    let vault = Vault::new(config).await?;
    
    // Usar vault embebido
    vault.write("secret/myapp/db", json!({
        "username": "admin",
        "password": "secret123"
    })).await?;
    
    Ok(())
}

Integration Examples

1. Con RustyVault (como Backend)

SecretumVault puede servir como crypto backend de RustyVault:

// RustyVault usa SecretumVault para crypto
use secretumvault::CryptoService;

pub struct RustyVaultWithPQC {
    secrets: RustyVaultCore,
    crypto: Arc<CryptoService>, // SecretumVault crypto
}

impl RustyVaultWithPQC {
    async fn sign_certificate(&self, csr: &[u8]) -> Result<Vec<u8>> {
        // Usar SecretumVault para firmar con ML-DSA
        self.crypto.sign("ca-key", csr).await
    }
}

2. Con provctl (Orchestration)

use secretumvault::Vault;

async fn provision_secure_machine(machine_id: &str) -> Result<()> {
    let vault = Vault::connect("https://vault.internal:8200").await?;
    
    // Get dynamic SSH credentials
    let ssh_creds = vault.read(&format!("ssh/creds/{}", machine_id)).await?;
    
    // Encrypt machine config
    let encrypted_config = vault.transit_encrypt(
        "machine-config-key",
        &machine_config.as_bytes()
    ).await?;
    
    // Deploy
    deploy_machine(machine_id, &ssh_creds, &encrypted_config).await?;
    
    Ok(())
}

3. Con Nushell Scripts

# vault-ops.nu
export def get-db-creds [role: string] {
    let response = (
        http get http://vault:8200/v1/database/creds/$role
        -H [X-Vault-Token $env.VAULT_TOKEN]
    )
    
    {
        username: $response.data.username,
        password: $response.data.password,
        expires: ($response.lease_duration | into datetime)
    }
}

export def encrypt-file [file: string, key: string] {
    let plaintext = (open $file | encode base64)
    
    let response = (
        http post http://vault:8200/v1/transit/encrypt/$key {
            plaintext: $plaintext
        } -H [X-Vault-Token $env.VAULT_TOKEN]
    )
    
    $response.data.ciphertext | save $"($file).encrypted"
}

# Uso
get-db-creds "readonly" | save db-creds.json
encrypt-file "sensitive.txt" "app-key"

4. Con Nickel Config

# vault-bootstrap.ncl
let Vault = {
  server = "https://vault.internal:8200",
  
  policies = {
    developers = m%"
      permit(
        principal in Group::"developers",
        action == Action::"read",
        resource in Path::"secret/dev/*"
      );
    "%,
    
    ci_cd = m%"
      permit(
        principal == ServiceAccount::"github-actions",
        action in [Action::"read", Action::"encrypt"],
        resource in Path::"secret/deployments/*"
      );
    "%,
  },
  
  secrets = {
    database = {
      connection = "postgresql://vault-db:5432/app",
      roles = {
        readonly = {
          creation_statements = [
            "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}';",
            "GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";"
          ],
          ttl = "1h"
        },
        admin = {
          creation_statements = [
            "CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}' SUPERUSER;"
          ],
          ttl = "15m"
        }
      }
    }
  }
}

{
  vault = Vault
}

Implementation Roadmap

Phase 1: Foundation (Week 1-3)

Week 1: Core Architecture

Project structure
Storage trait + filesystem implementation
Basic crypto backend (OpenSSL)
Seal/Unseal mechanism with Shamir

Week 2: KV Engine

KV secrets engine (v2 with versioning)
Encryption at rest
API handlers for KV
CLI: read/write/delete

Week 3: Auth & Cedar

Token-based authentication
Cedar policy integration
Policy evaluation
Basic ACL tests

Phase 2: Crypto Engines (Week 4-6)

Week 4: Transit Engine

Encrypt/decrypt endpoints
Key rotation
Multiple algorithm support
Rewrap functionality

Week 5: PQC Integration

aws-lc-rs backend
ML-KEM implementation
ML-DSA signatures
Hybrid mode (classical + PQC)

Week 6: PKI Engine

Root CA generation
Certificate issuance (RSA/ECDSA)
CRL/OCSP support
PQC certificates (experimental)

Phase 3: Dynamic Secrets (Week 7-8)

Week 7: Database Engine

PostgreSQL support
MySQL support
Lease management
Automatic revocation

Week 8: Storage Backends

SurrealDB implementation
etcd/Consul support
Migration tools

Phase 4: Production Ready (Week 9-10)

Week 9: High Availability

Leader election
Replication
Auto-unseal with KMS
Performance optimizations

Week 10: Polish & Docs

API documentation (OpenAPI)
Deployment guides
Security audit
Benchmarks

Configuration Example

Archivo: svault.toml

[vault]
# Crypto backend
crypto_backend = "aws-lc"  # aws-lc | rustcrypto | tongsuo | openssl

# Storage backend
storage_backend = "surrealdb"  # surrealdb | filesystem | etcd | consul

[server]
address = "0.0.0.0:8200"
tls_cert = "/etc/svault/tls/cert.pem"
tls_key = "/etc/svault/tls/key.pem"

# Mutual TLS (opcional)
tls_client_ca = "/etc/svault/tls/ca.pem"

[storage.surrealdb]
endpoint = "ws://localhost:8000"
namespace = "vault"
database = "production"
username = "vault"
password = "${SURREAL_PASSWORD}"

[storage.filesystem]
path = "/var/svault/data"

[seal]
type = "shamir"  # shamir | auto | transit
shares = 5
threshold = 3

# Auto-unseal con KMS (opcional)
[seal.auto]
type = "aws-kms"  # aws-kms | gcp-kms | azure-kv
key_id = "arn:aws:kms:..."

[auth.cedar]
policies_dir = "/etc/svault/policies"
entities_file = "/etc/svault/entities.json"

[engines]
# Secrets engines montados
kv = { path = "secret/", versioned = true }
transit = { path = "transit/" }
pki = { path = "pki/" }
database = { path = "database/" }

[logging]
level = "info"
format = "json"
output = "/var/log/svault/vault.log"

[telemetry]
prometheus_port = 9090

Project Structure

secretumvault/
├── Cargo.toml
├── README.md
├── config/
│   └── svault.toml.example
│
├── src/
│   ├── lib.rs
│   ├── main.rs                     # Server binary
│   │
│   ├── core/
│   │   ├── mod.rs
│   │   ├── vault.rs                # Main Vault struct
│   │   ├── seal.rs                 # Seal/Unseal logic
│   │   └── router.rs               # Request routing
│   │
│   ├── engines/
│   │   ├── mod.rs
│   │   ├── kv.rs                   # KV engine
│   │   ├── transit.rs              # Transit engine
│   │   ├── pki.rs                  # PKI engine
│   │   └── database.rs             # Dynamic secrets
│   │
│   ├── auth/
│   │   ├── mod.rs
│   │   ├── token.rs                # Token auth
│   │   └── cedar.rs                # Cedar integration
│   │
│   ├── crypto/
│   │   ├── mod.rs
│   │   ├── backend.rs              # Trait
│   │   ├── aws_lc.rs
│   │   ├── rustcrypto.rs
│   │   └── tongsuo.rs
│   │
│   ├── storage/
│   │   ├── mod.rs
│   │   ├── filesystem.rs
│   │   ├── surrealdb.rs
│   │   ├── etcd.rs
│   │   └── consul.rs
│   │
│   ├── api/
│   │   ├── mod.rs
│   │   ├── server.rs
│   │   └── handlers/
│   │       ├── sys.rs
│   │       ├── secret.rs
│   │       ├── transit.rs
│   │       └── pki.rs
│   │
│   ├── shamir/
│   │   └── mod.rs
│   │
│   └── error.rs
│
├── bin/
│   └── svault.rs                   # CLI tool
│
├── policies/
│   ├── default.cedar
│   ├── developers.cedar
│   └── ci-cd.cedar
│
├── scripts/
│   ├── vault-ops.nu                # Nushell helpers
│   └── init-vault.sh
│
├── configs/
│   ├── vault-config.ncl
│   └── bootstrap.ncl
│
└── tests/
    ├── integration/
    ├── engines/
    └── auth/

Cargo.toml

[package]
name = "secretumvault"
version = "0.1.0"
edition = "2021"
authors = ["Jesús Pérez <contact@jesusperez.pro>"]
description = "Post-quantum ready secrets management system"
license = "Apache-2.0"

[features]
default = ["aws-lc", "filesystem", "server"]

# Crypto backends
aws-lc = ["aws-lc-rs"]
rustcrypto = ["ml-kem", "ml-dsa", "slh-dsa"]
tongsuo = ["dep:tongsuo"]
openssl = ["dep:openssl"]

# Storage backends
filesystem = []
surrealdb-storage = ["surrealdb"]
etcd-storage = ["etcd-client"]
consul-storage = ["consulrs"]

# Components
server = ["axum", "tower-http"]
cli = ["clap"]
cedar = ["cedar-policy"]

[dependencies]
# Core
tokio = { version = "1.35", features = ["full"] }
async-trait = "0.1"
serde = { version = "1.0", features = ["derive"] }
serde_json = "1.0"
toml = "0.8"
thiserror = "1.0"
anyhow = "1.0"
chrono = { version = "0.4", features = ["serde"] }
tracing = "0.1"
tracing-subscriber = "0.3"

# Crypto
aws-lc-rs = { version = "1.9", features = ["unstable"], optional = true }
ml-kem = { version = "0.2", optional = true }
ml-dsa = { version = "0.2", optional = true }
slh-dsa = { version = "0.2", optional = true }
openssl = { version = "0.10", optional = true }
tongsuo = { version = "0.3", optional = true }

# Shamir Secret Sharing
sharks = "0.5"

# Cedar policies
cedar-policy = { version = "3.0", optional = true }

# Storage
surrealdb = { version = "1.5", optional = true }
etcd-client = { version = "0.13", optional = true }
consulrs = { version = "0.1", optional = true }

# Server
axum = { version = "0.7", optional = true, features = ["macros"] }
tower-http = { version = "0.5", optional = true, features = ["cors", "trace"] }

# CLI
clap = { version = "4.5", optional = true, features = ["derive"] }

# Utilities
uuid = { version = "1.6", features = ["v4", "serde"] }
base64 = "0.21"
hex = "0.4"

[dev-dependencies]
tempfile = "3.8"
wiremock = "0.5"

[[bin]]
name = "svault"
path = "src/main.rs"

[[bin]]
name = "svault-cli"
path = "bin/svault.rs"
required-features = ["cli"]

¿Por qué SecretumVault vs. Solo Crypto Service?

Feature	Crypto Service Solo	SecretumVault Completo
Secrets Management	❌	✅ KV + Dynamic
Encryption as a Service	⚠️ Básico	✅ Transit engine completo
Authorization	❌	✅ Cedar policies
PKI/Certificates	❌	✅ Full CA
Dynamic Secrets	❌	✅ Database, cloud
Lease Management	❌	✅ Auto-revocation
Audit Logging	❌	✅ Completo
High Availability	❌	✅ Replication
Vault API Compatible	❌	✅ Migration path

Next Steps

Validar arquitectura - ¿Tiene sentido este scope?
Naming - ¿secretumvault, svault, otro?
Prioridades - ¿Qué implementar primero?
Cedar policies - ¿Es la mejor opción o prefieres ACL simple?
Integración RustyVault - ¿Backend? ¿Fork? ¿Proyecto separado?

¿Empezamos con Phase 1 en Claude Code?

36 KiB Raw Blame History