nodedb 0.3.0-beta.1

Local-first, real-time, edge-to-cloud hybrid database for multi-modal workloads
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111

// SPDX-License-Identifier: BUSL-1.1

//! `KeyDerivation` config enum and its mapping to a concrete `KeyProvider`.

use std::path::PathBuf;

use super::aws_kms::AwsKmsProvider;
use super::file::FileKeyProvider;
use super::provider::KeyProvider;
use super::vault::VaultKeyProvider;
use crate::Result;

/// How the server obtains its 32-byte AES-256 encryption key.
///
/// All variants implement `KeyProvider` and load the plaintext key into
/// mlocked memory via `nodedb_wal::secure_mem`. No variant returns a stub.
#[derive(Debug, Clone, serde::Serialize, serde::Deserialize)]
#[serde(tag = "type", rename_all = "snake_case")]
pub enum KeyDerivation {
    /// Load a raw 32-byte key from a local file.
    ///
    /// The file must contain exactly 32 bytes. This is the simplest mode,
    /// suitable for development or environments with an external secret manager
    /// that delivers the key file.
    File {
        /// Path to the 32-byte key file.
        key_path: PathBuf,
    },

    /// Unwrap the encryption key via HashiCorp Vault transit engine.
    ///
    /// ## Chosen flow
    ///
    /// On first init the operator calls `vault write transit/datakey/plaintext/<key_name>`
    /// and stores the returned `ciphertext` blob in `<data_dir>/.wal-key.wrapped`.
    ///
    /// At startup NodeDB reads the wrapped blob from disk, sends it to
    /// `POST {addr}/v1/{mount}/decrypt/{key_name}` with the Vault token,
    /// and extracts the `plaintext` field (base64 of 32 bytes) as the DEK.
    ///
    /// Key rotation: call `POST {addr}/v1/{mount}/rewrap/{key_name}` with
    /// the old ciphertext blob and write the new ciphertext to `.wal-key.wrapped`.
    Vault {
        /// Vault server address, e.g. `https://vault.example.com:8200`.
        addr: String,
        /// Path to a file containing the Vault token.
        token_path: PathBuf,
        /// Name of the transit key in Vault.
        key_name: String,
        /// Mount path of the transit engine, e.g. `transit`.
        mount: String,
        /// Path to the wrapped DEK ciphertext blob stored on disk.
        /// Default: `<data_dir>/.wal-key.wrapped`
        ciphertext_blob_path: PathBuf,
    },

    /// Unwrap the encryption key via AWS KMS.
    ///
    /// ## Chosen flow
    ///
    /// On first init the operator encrypts the plaintext DEK with
    /// `aws kms encrypt --key-id <key_id> --plaintext fileb://<32-byte-file>`
    /// and stores the ciphertext blob at `ciphertext_blob_path`.
    ///
    /// At startup NodeDB reads the ciphertext blob, calls KMS `Decrypt`,
    /// and holds the plaintext 32-byte key in mlocked memory.
    ///
    /// Key rotation: generate a new random DEK, call KMS `Encrypt`, write
    /// the new ciphertext blob, then call `rotate()` on the provider to
    /// get the new key.
    AwsKms {
        /// AWS KMS key ID or ARN.
        key_id: String,
        /// AWS region, e.g. `us-east-1`.
        region: String,
        /// Path to the KMS-encrypted DEK ciphertext blob.
        ciphertext_blob_path: PathBuf,
    },
}

impl KeyDerivation {
    /// Build a boxed `KeyProvider` for this derivation config.
    ///
    /// This is called once at startup. The returned provider's `unwrap_key()`
    /// is then called to obtain the 32-byte plaintext key.
    pub async fn into_provider(self) -> Result<Box<dyn KeyProvider + Send + Sync>> {
        match self {
            KeyDerivation::File { key_path } => Ok(Box::new(FileKeyProvider { key_path })),
            KeyDerivation::Vault {
                addr,
                token_path,
                key_name,
                mount,
                ciphertext_blob_path,
            } => Ok(Box::new(VaultKeyProvider::new(
                addr,
                token_path,
                key_name,
                mount,
                ciphertext_blob_path,
            ))),
            KeyDerivation::AwsKms {
                key_id,
                region,
                ciphertext_blob_path,
            } => Ok(Box::new(
                AwsKmsProvider::new(key_id, region, ciphertext_blob_path).await?,
            )),
        }
    }
}