[−][src]Crate libknox
Knox
Knox is a secret vault (aka password manager) encrypted with GPG keys. Libknox allows you to manipulate vaults at a low level.
Architecture
A vault is constituted of a _vault.meta file, at its root, containing the GPG identities used to encrypt the data as well as an index, mapping virtual secret paths to filesystem files. All filesystem paths in the vault are relative to this metadata file.
When a secret is created with a virtual path of one/two/three, a random UUID is generated, for instance, 2aef7bc6-856c-492d-aaee-07e0f2579812, and the secret's attributes will be stored in a file named 2a/2aef7bc6-856c-492d-aaee-07e0f2579812.
The mapping between virtual paths and filesystem paths is kept in the metadata file, and allows for retrieving data based on familiar user-defined paths. Hence, the metadata file is essential for using the vault and should be backed up along with the data. Secret files could still be manually decrypted and read, but you would lose the ability to refer to them through virtual paths.
The filesystem paths being random, and both the secret and metadata files being encrypted with your GPG public key, the filesystem does not give any information about what is stored inside the secrets.
All files are marshalled with Protocol Buffers and encrypted through gpg-agent, producing armored ciphertext.
Example
This example below shows how to use the libknox API to create and
manipulate a vault. It assumes the /tmp/knox-example
is empty and that
that your GPG agent has keys with the vault-test@apognu.github.com
identity.
It can be run with cargo run --example simple
.
use libknox::{VaultContext, Entry}; // Create a new vault with the given GPG identity let id = vec!["vault-test@apognu.github.com".to_string()]; let mut vault = VaultContext::create("/tmp/knox-example", &id).expect("FAIL"); // Create a new entry with three attributes let mut entry = Entry::new(); entry.add_attribute("username", "bob"); entry.add_confidential_attribute("password", "foobar"); entry.add_confidential_attribute( "apikey", "3OJL07P+W5zODH2J1Wv7rXh5i9UpR0mpvPW7ygIMih82J8P95krJZXyERqbi/XS", ); // Write the entry and the metadata pointing to it vault .write_entry("personal/website.com", &entry) .expect("FAIL"); // Open the prevously created vault and read the written entry let vault = VaultContext::open("/tmp/knox-example").expect("FAIL"); let entry = vault.read_entry("personal/website.com").expect("FAIL"); // Loop over the attributes and print them for (key, attribute) in entry.get_attributes() { if attribute.confidential { println!("{} = {} (CONFIDENTIAL)", key, attribute.value); } else { println!("{} = {}", key, attribute.value); } }
Modules
attribute | Abstract over Attribute values |
context | Handle around a Vault instance. |
entry | Manipulate Entries and their Attributes. |
git | |
totp |
Structs
Attribute | |
Entry | |
TotpConfig | |
Vault | Generated files are compatible only with the same version of protobuf runtime. |
VaultContext | Handle around a Vault instance. |
VaultError | All errors returned by Knox. |
Enums
AttributeValue | An Attribute's different kinds of value. |
TotpConfig_Hash |
Traits
Packing | Trait for message serialization |
Functions
file_descriptor_proto |