minivault
This is a miniature, stripped down, local version of Hashicorp Vault's Encryption as a Service.
Once unlocked by a trusted user, permitted users on the system can query a UNIX socket to encrypt or decrypt data.
This allows data to be encrypted at rest as long as you pass all of your data through minivault. Unless someone goes through the socket, they can't read the data.
If the system reboots and no one unlocks minivault, the data is not recoverable.
Since minivault uses UNIX sockets, local usage permisions can be done with chown/chmod.
How it works
Minivault encrypts and decrypts data sent to it through a UNIX socket using an AES-256-GCM master key. This key is stored, encrypted by an AES-256-GCM password-based key, in a "vault" file, which is really just a YAML file. Multiple users can be defined which can "unlock" the vault, loading the master key into memory. Each user has an entry in the vault file that contains their own copy of the encrypted master key, which is encrypted with their password as an Argon2-derived key. If the vault is "locked", then data cannot be encrypted or decrypted as the key is not yet loaded.
Known TODOs / Pitfalls
- The master key is only as safe as the weakest user password.
- Master key rotation has yet to be implemented.
- Any user who has write access to the vault file can remove users.
- Any user with write access to the vault file can add output from another vault file under a new user, lock minivault, then unlock it with their new user and any data that passes through will be encrypted with a completely different key or fail to decrypt old data, resulting in DoS.
The last two can be remediated by properly setting restrictive permissions on the vault YAML file.
Windows support
Minivault works on both Linux and macOS systems. However, Windows support does not currently exist in the command line version of minivault as it relies on UNIX sockets.
Setup
You will need to create a vault with at least one user in it with:
Usage
To run minivault, point to your desired socket location and an existing vault:
You must first unlock minivault with a valid user before it can start decrypting and encrypting data:
Encrypting data
minivault accepts base64 encoded data to encrypt. For instance, here we will encrypt the base64'd version of the string 'test' and return a vault string:
You can also use an HTTP client, such as curl:
}
Decrypting data
Take the encrypted vault string you received from minivault and then pass it back with:
Again, you can use an HTTP client, such as curl, to decrypt:
}
Example clients
A few example clients in other programming languages have been provided in the example-clients/ folder.
Other functionality
You can also add users, change user passwords, and lock the vault using other included subcommands which you can see with:
As a library
Minivault exposes the vault, server, and client crates. Pull any of them in with:
use vault;
use server;
use client;
// Or
use *;
See docs.rs for more information on using minivault as a crate in your project.
Development
Feel free to contribute to minivault's development via PR!
Building
For a development version, run:
For a release version, do:
# this takes longer to compile, but has much better performance when running
Testing
Run all tests with:
Benchmarking
Benchmarks for encryption and decryption using criterion are provided. Run them with:
Below are the benchmarks for encrypt and decrypt operations from a Macbook Pro (2019) with the following specs:
- CPU: Intel(R) Core(TM) i9-9980HK CPU @ 2.40GHz
- Memory: 32 GB 2667 MHz DDR4
- GPU: Intel UHD Graphics 630 1536 MB
Profiling
A small script is provided at profile.sh, which uses cargo-flamegraph to generate a flamegraph of a running minivault instance.