nathan/smt
1
0
Fork 0
Code Issues 4 Pull Requests Packages Projects Releases 2 Wiki Activity

updates

Browse Source
This commit is contained in:
Nathan Coad
2023-04-03 10:11:56 +10:00
parent 1acf4c48d7
commit 75468ee8f3
4 changed files with 79 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
README.md
View File

@@ -1,7 +1,35 @@
# CC Secrets
## Overview
Design concepts at https://wiki.coadcorp.com/doc/secrets-management-idea-VGJMey7Wnd
Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.
Provide REST API for CRUD to store and retrieve user/password data for logging into devices. Only password is encrypted, via AES256 GCM. Values stored in sqlite database.
Requires JWT token to store/retrieve passwords.
This isn't super secure, probably not even as secure as Hashicorp Vault running in dev mode.
This isn't super secure, probably not even as secure as Hashicorp Vault running in dev mode.
## Installation
1. Copy binary to chosen location, eg /srv/ccsecrets
2. Create .env file in same directory as binary, populate as per Configuration section below
3. Create systemd service definition
4. Start service
## Configuration
|Environment Variable Name| Description | Example | Default |
|--|--|--|--|
| LOG_FILE | Specify the name/path of file to write log messages to | /var/log/ccsecrets.log | ./ccsecrets.log
| BIND_IP | Specify the local IP address to bind to. | 127.0.0.1 | Primary IPv4 address |
| BIND_PORT | Specify the TCP/IP port to bind to. | 443 | 8443 |
| TLS_KEY_FILE | Specify the filename of the TLS certificate private key (must be unencrypted) in PEM format | key.pem | privkey.pem |
| TLS_CERT_FILE | Specify the filename of the TLS certificate file in PEM format | cert.pem | cert.pem |
| TOKEN_HOUR_LIFESPAN | Number of hours that the JWT token returned at login is valid | 12 | No default specified, must define this value |
| API_SECRET | Secret to use when generating JWT token | 3c55990bd479322e2053db3a8 | No default specified, must define this value |
| INITIAL_PASSWORD | Password to set for builtin Administrator account created when first started, can remove this value after first start. Can specify in plaintext or bcrypt hash | $2a$10$s39a82wrRAdOJVZEkkrSReVnXprz5mxU30ZBO.dHPYTncQCsUD9ce | password
| SECRETS_KEY | Key to use for AES256 GCM encryption. Must be exactly 32 bytes | AES256Key-32Characters1234567890 | No default specified, must define this value |
## Systemd script
## API