242 lines
5.4 KiB
Markdown
242 lines
5.4 KiB
Markdown
|
|
# Encrypt - Multi-Backend Encryption
|
||
|
|
|
||
|
|
A unified encryption framework supporting multiple cloud and on-premises secret management providers.
|
||
|
|
|
||
|
|
## Overview
|
||
|
|
|
||
|
|
Encrypt provides a unified API for secret management and encryption across different backends:
|
||
|
|
|
||
|
|
- 🔐 **SOPS** - Secrets Operations with multi-KMS support (AWS, GCP, Azure)
|
||
|
|
- 🔑 **RustyVault** - HashiCorp Vault alternative
|
||
|
|
- ☁️ **AWS KMS** - Amazon Key Management Service
|
||
|
|
- 🌐 **GCP KMS** - Google Cloud Key Management
|
||
|
|
- 💎 **Azure Key Vault** - Microsoft Azure secret management
|
||
|
|
|
||
|
|
## Features
|
||
|
|
|
||
|
|
- 🔄 **Unified API** - Same interface for all backends
|
||
|
|
- 🎯 **Backend Detection** - Auto-detect available backends
|
||
|
|
- 🔍 **Secret Detection** - Pattern-based secret detection (7 default patterns)
|
||
|
|
- ⚠️ **False Positive Filtering** - Intelligent filtering of detected "secrets"
|
||
|
|
- 🔧 **Flexible Configuration** - Extensive configuration options
|
||
|
|
- 🚀 **Async Support** - Built for modern async Rust
|
||
|
|
|
||
|
|
## Supported Backends
|
||
|
|
|
||
|
|
### SOPS (Secrets Operations)
|
||
|
|
Multi-KMS support with git-friendly encrypted YAML/JSON/TOML files
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use encrypt::config::{EncryptionConfig, BackendType, SopsConfig};
|
||
|
|
|
||
|
|
let sops = SopsConfig {
|
||
|
|
kms_provider: "aws".to_string(),
|
||
|
|
gcp_project: None,
|
||
|
|
pgp_fingerprints: vec![],
|
||
|
|
..Default::default()
|
||
|
|
};
|
||
|
|
```
|
||
|
|
|
||
|
|
### RustyVault
|
||
|
|
HashiCorp Vault-compatible secret management
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use encrypt::config::RustyVaultConfig;
|
||
|
|
|
||
|
|
let vault = RustyVaultConfig {
|
||
|
|
vault_addr: "https://vault.example.com".to_string(),
|
||
|
|
namespace: Some("myapp".to_string()),
|
||
|
|
..Default::default()
|
||
|
|
};
|
||
|
|
```
|
||
|
|
|
||
|
|
### AWS KMS
|
||
|
|
Amazon Key Management Service for secrets
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use encrypt::config::AwsKmsConfig;
|
||
|
|
|
||
|
|
let aws = AwsKmsConfig {
|
||
|
|
region: "us-east-1".to_string(),
|
||
|
|
key_id: "arn:aws:kms:us-east-1:123456789012:key/12345678".to_string(),
|
||
|
|
..Default::default()
|
||
|
|
};
|
||
|
|
```
|
||
|
|
|
||
|
|
### GCP KMS
|
||
|
|
Google Cloud Key Management Service
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use encrypt::config::GcpKmsConfig;
|
||
|
|
|
||
|
|
let gcp = GcpKmsConfig {
|
||
|
|
project_id: "my-project".to_string(),
|
||
|
|
key_ring: "myapp-keys".to_string(),
|
||
|
|
crypto_key: "default".to_string(),
|
||
|
|
..Default::default()
|
||
|
|
};
|
||
|
|
```
|
||
|
|
|
||
|
|
### Azure Key Vault
|
||
|
|
Microsoft Azure secret management
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use encrypt::config::AzureKmsConfig;
|
||
|
|
|
||
|
|
let azure = AzureKmsConfig {
|
||
|
|
vault_name: "myapp-vault".to_string(),
|
||
|
|
tenant_id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx".to_string(),
|
||
|
|
..Default::default()
|
||
|
|
};
|
||
|
|
```
|
||
|
|
|
||
|
|
## Quick Start
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use encrypt::config::EncryptionConfig;
|
||
|
|
|
||
|
|
// Create configuration
|
||
|
|
let config = EncryptionConfig {
|
||
|
|
backends: vec![/* backend configs */],
|
||
|
|
default_backend: "sops".to_string(),
|
||
|
|
auto_detect: true,
|
||
|
|
..Default::default()
|
||
|
|
};
|
||
|
|
|
||
|
|
// Use encryption backend
|
||
|
|
let backend = config.get_default_backend()?;
|
||
|
|
backend.encrypt(secret_data)?;
|
||
|
|
backend.decrypt(encrypted_data)?;
|
||
|
|
```
|
||
|
|
|
||
|
|
## Secret Detection
|
||
|
|
|
||
|
|
Detect secrets in code or configuration:
|
||
|
|
|
||
|
|
```rust
|
||
|
|
use encrypt::detect::detect_secrets;
|
||
|
|
|
||
|
|
let patterns = detect_secrets(code_content);
|
||
|
|
for detected in patterns {
|
||
|
|
println!("Found: {} with confidence: {}",
|
||
|
|
detected.name, detected.confidence);
|
||
|
|
}
|
||
|
|
```
|
||
|
|
|
||
|
|
### Default Patterns
|
||
|
|
|
||
|
|
- AWS Access Keys (`AKIA[0-9A-Z]{16}`)
|
||
|
|
- AWS Secret Keys
|
||
|
|
- GitHub Tokens (`gh[pousr]{1}_...`)
|
||
|
|
- Vault Tokens (`hvs.*`)
|
||
|
|
- Private Keys (RSA, DSA, OpenSSH, EC)
|
||
|
|
- API Keys
|
||
|
|
- Database Passwords
|
||
|
|
|
||
|
|
## Architecture
|
||
|
|
|
||
|
|
- `error.rs` - Error types for encryption operations
|
||
|
|
- `config.rs` - Configuration for backends
|
||
|
|
- `backend/mod.rs` - Backend trait definition
|
||
|
|
- `backend/sops.rs` - SOPS implementation
|
||
|
|
- `backend/rustyvault.rs` - RustyVault implementation
|
||
|
|
- `backend/kms.rs` - AWS/GCP/Azure KMS implementations
|
||
|
|
- `detect.rs` - Secret pattern detection
|
||
|
|
|
||
|
|
## Use Cases
|
||
|
|
|
||
|
|
### Secret Management
|
||
|
|
Centralized secrets across environments
|
||
|
|
|
||
|
|
### Compliance
|
||
|
|
Encrypt sensitive data to meet regulatory requirements
|
||
|
|
|
||
|
|
### DevOps
|
||
|
|
Automate secret rotation and management
|
||
|
|
|
||
|
|
### Security
|
||
|
|
Prevent accidental secret exposure
|
||
|
|
|
||
|
|
### Multi-Cloud
|
||
|
|
Work consistently across AWS, GCP, Azure
|
||
|
|
|
||
|
|
## Configuration Files
|
||
|
|
|
||
|
|
### SOPS Example
|
||
|
|
```yaml
|
||
|
|
# .sops.yaml
|
||
|
|
creation_rules:
|
||
|
|
- path_regex: secrets/.*
|
||
|
|
kms: 'arn:aws:kms:us-east-1:123456789012:key/12345678'
|
||
|
|
age: age1xxx...
|
||
|
|
```
|
||
|
|
|
||
|
|
### Vault Example
|
||
|
|
```toml
|
||
|
|
[vault]
|
||
|
|
address = "https://vault.example.com"
|
||
|
|
token = "hvs.xxx..."
|
||
|
|
namespace = "myapp"
|
||
|
|
```
|
||
|
|
|
||
|
|
## Testing
|
||
|
|
|
||
|
|
Run tests with:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
cargo test --lib
|
||
|
|
```
|
||
|
|
|
||
|
|
All 27 tests pass with full coverage of:
|
||
|
|
- Configuration management
|
||
|
|
- All 5 backend implementations
|
||
|
|
- Secret detection with filtering
|
||
|
|
- Error handling
|
||
|
|
|
||
|
|
## Performance
|
||
|
|
|
||
|
|
- Fast secret detection
|
||
|
|
- Minimal overhead
|
||
|
|
- Supports large files
|
||
|
|
- Efficient pattern matching
|
||
|
|
|
||
|
|
## API Documentation
|
||
|
|
|
||
|
|
Full API documentation available with:
|
||
|
|
|
||
|
|
```bash
|
||
|
|
cargo doc --open
|
||
|
|
```
|
||
|
|
|
||
|
|
## Integration
|
||
|
|
|
||
|
|
Encrypt can be integrated with:
|
||
|
|
- CI/CD systems for secret management
|
||
|
|
- Configuration management systems
|
||
|
|
- Deployment automation (provctl, provisioning)
|
||
|
|
- Secret scanning tools
|
||
|
|
- Compliance automation
|
||
|
|
|
||
|
|
## Security Considerations
|
||
|
|
|
||
|
|
- ✅ Never log secrets
|
||
|
|
- ✅ Use secure credential storage
|
||
|
|
- ✅ Rotate credentials regularly
|
||
|
|
- ✅ Use TLS for backend communication
|
||
|
|
- ✅ Principle of least privilege for access
|
||
|
|
|
||
|
|
## License
|
||
|
|
|
||
|
|
Same as prov-ecosystem parent project
|
||
|
|
|
||
|
|
## Contributing
|
||
|
|
|
||
|
|
Contributions welcome! See parent project guidelines.
|
||
|
|
|
||
|
|
## See Also
|
||
|
|
|
||
|
|
- [prov-ecosystem README](../../README.md) - Parent project overview
|
||
|
|
- [valida](../valida/README.md) - Validation rules engine
|
||
|
|
- [runtime](../runtime/README.md) - Container runtime abstraction
|
||
|
|
- [init-servs](../init-servs/README.md) - Init system abstraction
|