From 4650845d2f6c436b3924bfbbd3da0a982992dd5b Mon Sep 17 00:00:00 2001 From: Nathan Coad Date: Mon, 3 Apr 2023 11:23:53 +1000 Subject: [PATCH] readme updates --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index e81d15d..51499a3 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,6 @@ ## Overview -Design concepts at https://wiki.coadcorp.com/doc/secrets-management-idea-VGJMey7Wnd - Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database. Requires JWT token to store/retrieve passwords. @@ -30,6 +28,8 @@ This isn't super secure, probably not even as secure as Hashicorp Vault running | INITIAL_PASSWORD | Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash | $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce | password | SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value | +If the TLS certificate and key files cannot be located in the specified location, a self signed certificate will be generated with a 1 year validity period. + ## Systemd script Create/update the systemd service definition at /etc/systemd/system/ccsecrets.service and then run systemctl daemon-reload @@ -65,7 +65,7 @@ Data } ``` -This operation can only be performed by a user with a role that is admin enabled. +This operation can only be performed by a user with a role that is admin enabled. There are 3 built in roles, which can be viewed via the `/api/admin/roles` endpoint. #### Login POST `/api/login` @@ -78,6 +78,8 @@ Data } ``` +This API call will return a JWT token that must be present for any other API calls to succeed. The validity duration of this token is based on the configured TOKEN_HOUR_LIFESPAN value. + ### Secrets Operations #### Store