nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

readme updates

Browse Source
This commit is contained in:
Nathan Coad
2023-04-03 11:23:53 +10:00
parent 45ad4f6ff1
commit 4650845d2f
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
README.md
View File

@@ -2,8 +2,6 @@
## Overview ## Overview
Design concepts at https://wiki.coadcorp.com/doc/secrets-management-idea-VGJMey7Wnd
Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database. Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.
Requires JWT token to store/retrieve passwords. Requires JWT token to store/retrieve passwords.
@@ -30,6 +28,8 @@ This isn't super secure, probably not even as secure as Hashicorp Vault running
| INITIAL_PASSWORD | Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash | $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce | password | INITIAL_PASSWORD | Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash | $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce | password
| SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value | | SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value |
If the TLS certificate and key files cannot be located in the specified location, a self signed certificate will be generated with a 1 year validity period.
## Systemd script ## Systemd script
Create/update the systemd service definition at /etc/systemd/system/ccsecrets.service and then run systemctl daemon-reload Create/update the systemd service definition at /etc/systemd/system/ccsecrets.service and then run systemctl daemon-reload
@@ -65,7 +65,7 @@ Data
} }
``` ```
This operation can only be performed by a user with a role that is admin enabled. This operation can only be performed by a user with a role that is admin enabled. There are 3 built in roles, which can be viewed via the `/api/admin/roles` endpoint.
#### Login #### Login
POST `/api/login` POST `/api/login`
@@ -78,6 +78,8 @@ Data
} }
``` ```
This API call will return a JWT token that must be present for any other API calls to succeed. The validity duration of this token is based on the configured TOKEN_HOUR_LIFESPAN value.
### Secrets Operations ### Secrets Operations
#### Store #### Store