roughenough-keys
| Crates.io | roughenough-keys |
| lib.rs | roughenough-keys |
| version | 2.0.0 |
| created_at | 2025-10-24 03:06:25.947219+00 |
| updated_at | 2025-10-24 03:06:25.947219+00 |
| description | Roughenough key material handling with multiple secure storage backends |
| homepage | https://github.com/int08h/roughenough |
| repository | https://github.com/int08h/roughenough |
| max_upload_size | |
| id | 1897929 |
| size | 212,453 |
Stuart Stock (int08h)
documentation
README
Roughtime
Roughenough is an implementation of the IETF Roughtime secure time synchronization protocol. Roughenough provides both server and client components for cryptographically verifiable time synchronization.
Features
- RFC Compliant: Full implementation of the Roughtime RFC specification
- High Performance Server: Performance oriented asynchronous UDP server
- Flexible Client: Command-line client with multiple output formats and server validation
- Malfeasance Reporting: Clients can (optionally) report malfeasance to a remote server for analysis
- Key Management: Multiple backends for secure key and identity protection (KMS, Secret Manager, Linux KRS, SSH agent, PKCS#11)
Quick Start
System Requirements
- MSRV 1.88, Rust 2024 edition
- Linux, MacOS, or other Unix-like operating system
- Optional: cloud provider credentials for backend key storage
Installation
Build all components:
cargo build --release
Build with all optional features:
# Enable all optional features
cargo build --release --all-features
Running the Server
# Debug build
cargo run --bin roughenough_server
# Release build with optimizations
cargo run --release --bin roughenough_server
# Run the server binary directly
target/release/roughenough_server
The server will start listening for UDP requests on the default port (2002).
Running the Client
Basic usage:
# Query a Roughtime server
cargo run --bin roughenough_client -- roughtime.int08h.com 2002
# Verify server public key
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 -k <base64-or-hex-key>
# Multiple requests
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 -n 10
# Verbose output
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 -v
# Different time formats
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 --epoch # Unix timestamp
cargo run --bin roughenough_client -- roughtime.int08h.com 2002 --zulu # ISO 8601 UTC
Query multiple servers from an RFC compliant JSON list:
cargo run --bin roughenough_client -- -l servers.json
Running Tests
# Run all tests
cargo test
# Run tests for specific crate
cargo test -p protocol
# Run integration tests
target/debug/roughenough_integration_test
Project Structure
Roughtime is structured as a Cargo workspace with multiple crates:
- protocol: Core wire format handling, request/response types, data structures
- merkle: Merkle tree implementation with Roughtime-specific tweaks
- server: High-performance UDP server with async I/O and batching
- client: Command-line client for querying Roughtime servers
- common: Shared cryptography and encoding utilities
- keys: Key material handling with multiple secure storage backends
- reporting-server: Web server for collecting malfeasance reports
- integration: End-to-end integration tests
- fuzz: Fuzzing harness
Optional Features
Client Features
- reporting: Enable clients to report malfeasance to a remote server
cargo build -p client --features reporting cargo run --bin roughenough_client -- hostname.com 2002 --report
Keys Crate Features
See doc/PROTECTION.md for detailed information on seed protection strategies.
Runtime Protection (Online Key Backends)
online-linux-krs(default): Store seed in Linux Kernel Keyring for runtime protectiononline-ssh-agentUse SSH agent for seed storage and signing operationsonline-pkcs11PKCS#11 hardware security module integration (Yubikey, HSM, etc)
Long-term Protection (Seed Storage)
longterm-aws-kmsAWS Key Management Service for seed encryptionlongterm-gcp-kmsGoogle Cloud KMS for seed encryptionlongterm-aws-secret-managerAWS Secrets Manager for seed storagelongterm-gcp-secret-managerGoogle Cloud Secret Manager for seed storage
Contributing
Contributions are welcome! Please see CONTRIBUTING.md for guidelines.
Thank you to all past and present contributors:
- Stuart Stock (stuart {at} int08h.com)
- Aaron Hill (aa1ronham {at} gmail.com)
- Peter Todd (pete {at} petertodd.org)
- Muncan90 (github.com/muncan90)
- Zicklag (github.com/zicklag)
- Greg at Unrelenting Tech (github.com/unrelentingtech)
- Eric Swanson (github.com/lachesis)
- Marcus Dansarie (github.com/dansarie)
License
Copyright (c) 2025 the Roughenough Project Contributors.
Roughenough is licensed under either of
- Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
- MIT License (http://opensource.org/licenses/MIT)
at your option.
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in this project by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.