more implementation of runtime unlock

README.md

@@ -10,7 +10,7 @@ This isn't super secure, probably not even as secure as Hashicorp Vault running
 
 ## Installation
 
-1. Copy binary to chosen location, eg /srv/ccsecrets
+1. Copy binary to chosen location, eg /srv/smt/smt
 2. Create .env file in same directory as binary, populate as per Configuration section below
 3. Create systemd service definition
 4. Start service
@@ -26,7 +26,7 @@ This isn't super secure, probably not even as secure as Hashicorp Vault running
 | TOKEN_HOUR_LIFESPAN | Number of hours that the JWT token returned at login is valid | 12 | No default specified, must define this value |
 | API_SECRET | Secret to use when generating JWT token | 3c55990bd479322e2053db3a8 | No default specified, must define this value |
 | INITIAL_PASSWORD | Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash | $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce | password
-| SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value |
+| SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value or use /api/unlock at runtime |
 
 If the TLS certificate and key files cannot be located in the specified location, a self signed certificate will be generated with a 1 year validity period.
 
@@ -51,6 +51,18 @@ WantedBy=multi-user.target
 ```
 ## API
 
+### Unlock
+POST `/api/unlock`
+
+Data
+```
+{
+    "secretKey": "Example32ByteSecretKey0123456789"
+}
+```
+
+If the SECRETS_KEY environment variable is not defined, this API call to unlock stored secrets must be performed after initial startup of SMT. Storing/retrieval of secrets will not succeed until this API call has been made.
+
 ### User Operations
 
 #### Register