nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

test new build
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Nathan Coad
2023-12-28 15:30:58 +11:00
parent ca39234f12
commit 6f47262336
5 changed files with 374 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@@ -1,12 +1,17 @@
# Secrets Management Tool (SMT)
Build Date: {BUILDTIME}
Build Hash: {SHA1VER}
## Overview
Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.
Provide REST API for CRUD to store and retrieve secrets. Only password is encrypted, via AES256 GCM. Values stored encrypted within a sqlite database.
Requires JWT token to store/retrieve passwords.
A successful authentication returns a JWT token which must be provided for all other operations.
This isn't super secure, probably not even as secure as Hashicorp Vault running in dev mode.
Multiple user roles are supported, with each user only able to access secrets matching their user role. One exception is the built in administrator role that is able to access all secrets.
Written by Nathan Coad (nathan.coad@dell.com)
## Installation
@@ -18,7 +23,7 @@ This isn't super secure, probably not even as secure as Hashicorp Vault running
## Configuration
|Environment Variable Name| Description | Example | Default |
|--|--|--|--|
| LOG_FILE | Specify the name/path of file to write log messages to | /var/log/ccsecrets.log | ./ccsecrets.log
| LOG_FILE | Specify the name/path of file to write log messages to | /var/log/smt.log | ./smt.log
| BIND_IP | Specify the local IP address to bind to. | 127.0.0.1 | Primary IPv4 address |
| BIND_PORT | Specify the TCP/IP port to bind to. | 443 | 8443 |
| TLS_KEY_FILE | Specify the filename of the TLS certificate private key (must be unencrypted) in PEM format | key.pem | privkey.pem |
@@ -30,6 +35,8 @@ This isn't super secure, probably not even as secure as Hashicorp Vault running
If the TLS certificate and key files cannot be located in the specified location, a self signed certificate will be generated with a 1 year validity period.
Example for generating API_SECRET and SECRETS_KEY is the following command on linux: `head /dev/urandom | tr -dc A-Za-z0-9 | head -c32`
## Systemd script
Create/update the systemd service definition at /etc/systemd/system/smt.service and then run systemctl daemon-reload