Crates.io | streambed-confidant |
lib.rs | streambed-confidant |
version | 0.12.0 |
source | src |
created_at | 2023-10-18 04:07:49.652011 |
updated_at | 2024-11-27 08:01:59.155903 |
description | Confidant is a small library that implements a file-system-based secret store |
homepage | |
repository | https://github.com/streambed/streambed-rs.git |
max_upload_size | |
id | 1006355 |
size | 61,559 |
Confidant is a small library that implements a file-system-based secret store function for autonomous systems that often live at the edge of a wider network.
Confidant implements the Streambed secret store API and stored secrets are encrypted.
Nothing beats code for a quick introduction! Here is an example of writing a secret and retrieving it. Please refer to the various tests for more complete examples.
// Let's set up the correct permissions for where all secrets will live
fs::set_permissions(&confidant_dir, PermissionsExt::from_mode(0o700))
.await
.unwrap();
let ss = FileSecretStore::new(
confidant_dir.clone(),
&[0; crypto::KEY_SIZE], // A key to encrypt the stored secrets with
Duration::from_secs(1), // Timeout for unauthorized secrets before we try again
10, // The number of secrets we cache
None, // A data field to be used to indicate a TTL - if any
);
let mut data = HashMap::new();
data.insert("key".to_string(), "value".to_string());
let data = SecretData { data };
// Write the secret out.
assert!(ss.create_secret("some.secret", data.clone()).await.is_ok());
// Read the secret
assert!(ss.get_secret("some.secret").await.unwrap().is_some());
The primary functional use-cases of confidant are:
The primary operational use-cases of confidant are:
Confidant has no notion of what a network is and relies on the file system along with operating system permissions
...over and above what the operating system provides.
Confidant is modelled with the same concepts as Hashicorp Vault. Services using confidant may therefore lend themselves to portability toward Vault.
Confidant is implemented as a library avoiding the need for a server process. Please note that we had no requirements to serve Windows and wanted to leverage Unix file permissions explicitly. When a secret is written is to written with the same mode as the directory given to Confidant when instantiated. This then ensures that the same permissions, including ACLs, are passed to each secret file.
The file system is used to store secrets and the host operating system permissions, including users, groups and ACLs, are leverage. Tokio is used for file read/write operations so that any stalled operations permit other tasks to continue running. Postcard is used for serialization as it is able to conveniently represent in-memory structures and is optimized for resource-constrained targets.
A TTL cache is maintained so that IO is minimized for those secrets that are often retrieved.
When you have Hashicorp Vault.