KMS的几个开源实现汇总
搜索關鍵詞
open source key management server
“key management server”
ranger kms
rotate keys decrypting
KMIP
集中密鑰工作流程
Centralized Encryption Key Management Server (KMS) | Townsend Security
?
Keywhiz
Keywhiz
Gitee 極速下載/keywhiz - Gitee.com
Keywhiz makes managing secrets easier and more secure. Keywhiz servers in a cluster centrally store?secrets encrypted?in a database. Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI. To enable workflows, Keywhiz has automation APIs over mTLS.
Keywhiz?是管理和分配隱私信息的系統,適用于面向服務的架構(SOA)。
每個組織的服務或者系統都要求有密碼或者其他的隱私信息:
TLS?認證或者密鑰
GPG?密鑰
API tokens
數據庫證書
通常是把隱私信息放到配置文件,代碼的后面,還有就是復制文件放到服務器以外的地方。前者容易泄漏,后者很難追蹤。
Keywhiz?提供了一個簡單而又安全的方式來管理這些隱私信息。Keywhiz?服務器在集中的集群中存儲這些信息,數據庫加密后存儲。客戶端使用TLS(mTLS)?來訪問那些信息。認證用戶通過?CLI?或者?web app UI?管理Keywhiz。為了使用工作流,Keywhiz?基于?mTLS自動化?APIs,支持簡單的隱私信息生成插件。
?
Vault
Vault Tutorials - HashiCorp Learn
HashiCorp Vault作為集中化的私密信息管理工具,具有以下特點:
存儲私密信息。?不僅可以存放現有的私密信息,還可以動態生成用于管理第三方資源的私密信息。所有存放的數據都是加密的,任何動態生成的私密信息都有租期,并且到期會自動回收。
滾動更新密鑰。用戶可以隨時更新存放的私密信息。Vault提供了加密即服務(encryption-as-a-service)的功能,可以隨時將密鑰滾動到新的密鑰版本,同時保留對使用過去密鑰版本加密的值進行解密的能力。 對于動態生成的秘密,可配置的最大租賃壽命確保密鑰滾動易于實施。
審計日志。?保管庫存儲所有經過身份驗證的客戶端交互的詳細審核日志:身份驗證,令牌創建,私密信息訪問,私密信息撤銷等。?可以將審核日志發送到多個后端以確保冗余副本。
另外,HaishiCorp Vault提供了多種方式來管理私密信息。用戶可以通過命令行、HTTP API等集成到應用中來獲取私密信息。
作者:ThoughtWorks
鏈接:https://www.jianshu.com/p/f34bf6ee3ac3
來源:簡書
著作權歸作者所有。商業轉載請聯系作者獲得授權,非商業轉載請注明出處。
Hashicorp vault 簡明配置教程 - 知乎 Hashicorp vault 簡明配置教程
【數據安全】采用HashiCorp Vault :第零天 | 首席架構師
KLMS??KMIP
KLMS over KMIP is good and easy to use solution for key management. This is an open source solution written in Java. See the below link for reference.?IBM Developer
The package named stubInterface will contains all the api required to use KLMS over KMIP.
KLMS: Key Lifecycle Management Systems
KMIP: Key Management Interoperability Protocol
?
PyKMIP
https://github.com/OpenKMIP?開源實現
PyKMIP is a Python implementation of the Key Management Interoperability Protocol (KMIP), an?OASIS?communication standard for the management of objects stored and maintained by key management systems. KMIP defines how key management operations and operation data should be encoded and communicated between client and server applications. Supported operations include the full?CRUD?key management lifecycle, including operations for managing object metadata and for conducting cryptographic operations. Supported object types include:
symmetric/asymmetric encryption keys
passwords/passphrases
certificates
opaque data blobs, and more
Docker Hub
客戶端的幾個命令例子
???.. py:method:: create(algorithm, length, operation_policy_name=None, name=None, cryptographic_usage_mask=None)
????????Create a symmetric key on a KMIP appliance.
????.. py:method:: create_key_pair(algorithm, length, operation_policy_name=None, public_name=None, public_usage_mask=None, private_name=None, private_usage_mask=None)
????????Create an asymmetric key pair on a KMIP appliance.
????.. py:method:: decrypt(data, uid=None, cryptographic_parameters=None, iv_counter_nonce=None)
????????Decrypt data using the specified decryption key and parameters.
????.. py:method:: delete_attribute(unique_identifier=None, **kwargs)
????????Delete an attribute from a managed object.
????.. py:method:: encrypt(data, uid=None, cryptographic_parameters=None, iv_counter_nonce=None)
????????Encrypt data using the specified encryption key and parameters.
????.. py:method:: get(uid=None, key_wrapping_specification=None)
????????Get a managed object from a KMIP appliance.
????.. py:method:: get_attributes(uid=None, attribute_names=None)
????????Get the attributes associated with a managed object.
keytransparency
docs/design.md · mirrors_google/keytransparency - Gitee.com
?
Scenarios
Key Transparency ensures, with mathematical certainty, that account owners can see all the public keys that have been used to authenticate their account or send them messages.
This assured-system architecture is useful in a variety of scenarios from end-to-end encryption to enterprise account management. Any scenario that involves authenticating users with public keys (eg.?U2F) can significantly benefit from Key Transparency.
| Scenario | Description |
| Encrypted Messaging | Key Transparency is ideal for user friendly end-to-end encrypted messaging. By making key management analogous to device management, users do not have to learn any new concepts, and no additional UI beyond device management is needed. Key management fits seamlessly into existing account life-cycle flows, and users are protected without requiring them to take additional actions. |
| Encrypted Storage | Key Transparency can also be used to?securely rotate the keys?used for encrypted storage systems such as?upspin.io |
| PGP Encrypted Email | Key Transparency was initially built to solve the problem of public key lookup for PGP email encryption. KT has the potential to make PGP significantly more usable than the existing web-of-trust model. |
| Insider Risk | Key Transparency removes the ability of privileged users to modify other user accounts without detection. This protects the privileged user from manipulation and ensures system safety even if the privileged user's account is compromised. |
| Post Compromise Security Audit | By relying on mathematics, Key Transparency significantly reduces the trusted computing base (TCB) of an authentication system. This makes reasoning about the security properties of an enterprise under attack much easier. The system administrator can have certainty that the authentication records for all accounts are intact, and that users will be able to quickly correct any account compromise. |
| Cloud Adoption | By employing a zero-trust architecture, Key Transparency provides?efficient evidence?to relying parties that the authentication system is operating correctly on an ongoing basis. This can increase cloud product adoption by removing one system from the list of systems that are difficult for customers to audit and control. |
使用場景例子upspin.io
Upspin architecture · Upspin
To illustrate the relationship between these components, here is the sequence of requests a client exchanges with the servers to read the file?augie@upspin.io/Images/Augie/large.jpg:
?
The client asks the key server for the record describing the owner of the file, which is the user name at the beginning of the file name (augie@upspin.io). The key server’s response contains the name of the directory server holding that user’s tree (dir.upspin.io) and Augie’s?public key.
The client asks the directory server for the directory entry describing the file. The response contains a list of block references, which include the name of the store server (store.upspin.io).
The client can then ask the store server for each of the blocks, pipelining the requests for efficiency.
The client decrypts the blocks (using Augie’s public key) and concatenates them to assemble the file.
Upspin Security · Upspin
As far as Upspin is concerned, a user is an email address, authenticated by an elliptic curve key pair used for signing and encrypting. We anticipate that the user will rotate keys over time, but we also assume that they will retain all old key pairs for use in decrypting old content, and will accept losing that access to that content if they lose all copies of their keys.
密鑰輪換
| upspin cmd operation | public,secret.upspinkey | secret2.upspinkey | keyserver | signatures | wraps |
| initial key | k1 | - | k1 | k1, - | k1 |
| new key | k2 | k1 | k1 | k1, - | k1 |
| countersign | k2 | k1 | k1 | k2, k1 | k1 |
| rotate | k2 | k1 | k2 | k2, k1 | k1 |
| share -fix | k2 | k1 | k2 | k2, k1 | k2 |
K8S的kms
使用 KMS 驅動進行數據加密 | Kubernetes
KMS?加密驅動使用封套加密模型來加密?etcd?中的數據。 數據使用數據加密密鑰(DEK)加密;每次加密都生成一個新的?DEK。 這些?DEK?經一個密鑰加密密鑰(KEK)加密后在一個遠端的?KMS?中存儲和管理。KMS?驅動使用?gRPC?與一個特定的?KMS?插件通信。這個?KMS?插件作為一個?gRPC?服務器被部署在Kubernetes?主服務器的同一個主機上,負責與遠端?KMS?的通信。
Hadoop KMS / Ranger KMS
https://www.ibm.com/support/knowledgecenter/en/SSPT3X_4.2.5/com.ibm.swg.im.infosphere.biginsights.admin.doc/doc/admin_migrate_kms.html#:~:text=The%20main%20difference%20between%20Hadoop%20KMS%20and%20Ranger,KMS%20is%20provided%20through%20the%20Ranger%20admin%20portal.
Ranger KMS is based on Hadoop KMS developed by the Apache community. The main difference between Hadoop KMS and Ranger KMS is that the Hadoop KMS stores keys in a file-based Java keystore where as Ranger allows you to store keys in a secure database. The centralized administration of the Ranger KMS is provided through the Ranger admin portal.
There are three main functions within the Ranger KMS: Key management, Access control policies for key management, and audit. To know how to set up and configure Ranger KMS, visit our knowledge center.
ranger權限管理、rang kms 秘鑰管理、kerberos認證服務整合應用(ambari 平臺上安裝)... - 程序員大本營
Ranger KMS加密HDFS的配置和權限設置
總結
以上是生活随笔為你收集整理的KMS的几个开源实现汇总的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Java并发编程实战~Actor 模型
- 下一篇: Arthas-MathGame