{"id":22288404,"url":"https://github.com/albertito/kxd","last_synced_at":"2025-08-02T13:05:22.188Z","repository":{"id":19160506,"uuid":"22392144","full_name":"albertito/kxd","owner":"albertito","description":"[mirror] Key exchange daemon","archived":false,"fork":false,"pushed_at":"2024-09-08T18:21:32.000Z","size":107,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"main","last_synced_at":"2024-09-09T11:17:46.530Z","etag":null,"topics":["encryption-key","go-application","key-management","security"],"latest_commit_sha":null,"homepage":"https://blitiri.com.ar/p/kxd","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/albertito.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2014-07-29T19:12:32.000Z","updated_at":"2024-09-08T09:38:33.000Z","dependencies_parsed_at":"2024-09-08T10:59:20.468Z","dependency_job_id":"ba594e16-8ab9-4849-9c45-953edd501285","html_url":"https://github.com/albertito/kxd","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/albertito%2Fkxd","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/albertito%2Fkxd/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/albertito%2Fkxd/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/albertito%2Fkxd/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/albertito","download_url":"https://codeload.github.com/albertito/kxd/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227961828,"owners_count":17847841,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["encryption-key","go-application","key-management","security"],"created_at":"2024-12-03T17:04:38.725Z","updated_at":"2024-12-03T17:04:39.453Z","avatar_url":"https://github.com/albertito.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Key exchange daemon\n\n[kxd](https://blitiri.com.ar/p/kxd) is a key exchange daemon, and\ncorresponding client, which serves blobs of data (keys) over https.\n\nIt can be used to get keys remotely instead of using local storage.\nThe main use case is to get keys to open dm-crypt devices automatically,\nwithout having to store them on the local machine.\n\n[![Docs](https://img.shields.io/badge/docs-reference-blue.svg)](https://blitiri.com.ar/p/kxd/)\n[![Tests](https://github.com/albertito/kxd/actions/workflows/tests.yaml/badge.svg)](https://github.com/albertito/kxd/actions)\n[![Coverage](https://codecov.io/gh/albertito/kxd/branch/next/graph/badge.svg?token=WMRDGeHOUK)](https://codecov.io/gh/albertito/kxd)\n\n\n## Quick start\n\nPlease see the [quick start](https://blitiri.com.ar/p/kxd/docs/quick_start)\ndocument for a step by step guide of a typical server and client setups.\n\n\n## Server configuration\n\nThe server configuration is stored in a root directory (`/etc/kxd/data`), and\nwithin there, with per-key directories (e.g. `/etc/kxd/data/host1/key1`), each\ncontaining the following files:\n\n- `key`: Contains the key to give to the client.\n- `allowed_clients`: Contains one or more PEM-encoded client certificates\n  that will be allowed to request the key.  If not present, then no clients\n  will be allowed to access this key.\n- `allowed_hosts`: Contains one or more host names (one per line).  If not\n  present, then all hosts will be allowed to access that key (as long as they\n  are authorized with a valid client certificate).\n- `email_to`: Contains one or more email destinations to notify (one per\n  line).  If not present, then no notifications will be sent upon key\n  accesses.\n\n\n## Client configuration\n\nThe basic command line client (*kxc*) will take the client key and\ncertificate, the expected server certificate, and a URL to the server (like\n`kxd://server/host1/key1`), and it will print on standard output the returned\nkey (the contents of the corresponding key file).\n\nThere are scripts to tie this with cryptsetup's infrastructure to make the\nopening of encrypted devices automatic; see `cryptsetup/` for the details.\n\n\n## Security\n\nAll traffic between the server and the clients goes over SSL, using the\nprovided server certificate.\n\nThe clients are authenticated and authorized based on their SSL client\ncertificates matching the ones associated with the key in the server\nconfiguration, not using a root of trust (for now).\n\nLikewise, the clients will authenticate the server based on a certificate\ngiven on the command line, and will only accept keys from it.\n\nNote the server will return reasonably detailed information on errors, for\nexample it will tell when a key is not found vs. when the client is not\nallowed. While this leaks some information about existence of keys, it makes\ntroubleshooting much easier.\n\nThe server itself makes no effort to protect the data internally; for example,\nthere is no on-disk encryption, and memory is not locked. We work under the\nassumption that the server's host is secure and trusted.\n\n\n## Dependencies\n\nThere are no runtime dependencies for the kxd and kxc binaries.\n\nBuilding requires Go 1.21.\n\nThe configuration helper scripts (`create-kxd-config`, `kxc-add-key`, etc.)\ndepend on: `bash` and core utilities (`mkdir`, `dd`, etc.).\n\nTesting needs Python 3.\n\n\n## Bugs and contact\n\nPlease report bugs to albertito@blitiri.com.ar.\n\nThe latest version can be found at\n[https://blitiri.com.ar/p/kxd/](https://blitiri.com.ar/p/kxd/)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falbertito%2Fkxd","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falbertito%2Fkxd","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falbertito%2Fkxd/lists"}