{"id":20433860,"url":"https://github.com/flashbots/vault-auth-plugin-attest","last_synced_at":"2026-04-19T02:33:56.940Z","repository":{"id":258725508,"uuid":"874485189","full_name":"flashbots/vault-auth-plugin-attest","owner":"flashbots","description":"Vault plugin for attested authentication (TDX or TPM2)","archived":false,"fork":false,"pushed_at":"2024-10-23T16:23:22.000Z","size":205,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":13,"default_branch":"main","last_synced_at":"2025-11-15T00:05:42.001Z","etag":null,"topics":["attestation","tdx","tpm2","vault-plugin"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/flashbots.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-17T23:11:09.000Z","updated_at":"2025-01-26T14:30:33.000Z","dependencies_parsed_at":"2024-11-15T08:33:57.184Z","dependency_job_id":null,"html_url":"https://github.com/flashbots/vault-auth-plugin-attest","commit_stats":null,"previous_names":["flashbots/vault-auth-plugin-attest"],"tags_count":3,"template":false,"template_full_name":null,"purl":"pkg:github/flashbots/vault-auth-plugin-attest","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fvault-auth-plugin-attest","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fvault-auth-plugin-attest/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fvault-auth-plugin-attest/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fvault-auth-plugin-attest/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/flashbots","download_url":"https://codeload.github.com/flashbots/vault-auth-plugin-attest/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/flashbots%2Fvault-auth-plugin-attest/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31992019,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T20:23:30.271Z","status":"online","status_checked_at":"2026-04-19T02:00:07.110Z","response_time":55,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["attestation","tdx","tpm2","vault-plugin"],"created_at":"2024-11-15T08:21:51.819Z","updated_at":"2026-04-19T02:33:56.912Z","avatar_url":"https://github.com/flashbots.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# vault-auth-plugin-attest\n\nVault plugin for attested authentication.\n\nSame binary can be used as a plugin, and as a login-helper tool with CLI similar\nto the native Vault's CLI.\n\n## TL;DR\n\n- Make sure vault is [installed](https://developer.hashicorp.com/vault/docs/install).\n\n- Make sure you run this on the TDX VM (the attestation won't work otherwise).\n\n- Start vault in development mode:\n\n    ```shell\n    make vault\n    ```\n\n    ```text\n    WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory\n    and starts unsealed with a single unseal key. The root token is already\n    authenticated to the CLI, so you can immediately begin using Vault.\n\n    You may need to set the following environment variables:\n\n        $ export VAULT_ADDR='https://127.0.0.1:8200'\n        $ export VAULT_CACERT='/tmp/vault-tls2386973238/vault-ca.pem'\n\n\n    The unseal key and root token are displayed below in case you want to\n    seal/unseal the Vault or re-authenticate.\n\n    Unseal Key: xxx\n    Root Token: yyy\n\n    The following dev plugins are registered in the catalog:\n        - vault-auth-plugin-attest\n\n    Development mode should NOT be used in production installations!\n    ```\n\n- Enable `vault-auth-plugin-attest` plugin:\n\n    ```shell\n    make vault-enable-plugin\n    ```\n\n    ```text\n    Success! Enabled vault-auth-plugin-attest auth method at: attest/\n    ```\n\n### TDX attestation\n\n- Configure \"test\" TDX trusted domain with a dummy TOTP secret:\n\n    ```shell\n    make vault-configure-tdx\n    ```\n\n    ```text\n    Key                          Value\n    ---                          -----\n    tdx_check_debug              true\n    tdx_check_sept_ve_disable    true\n    token_bound_cidrs            []\n    token_explicit_max_ttl       0s\n    token_max_ttl                0s\n    token_no_default_policy      false\n    token_num_uses               0\n    token_period                 0s\n    token_policies               []\n    token_ttl                    0s\n    token_type                   default\n    totp_secret                  AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n    ```\n\n- Add some actual checks to verify:\n\n    (strictly speaking the above step could have been merged with this one)\n\n    ```shell\n    make vault-configure-tdx-mrs\n    ```\n\n    ```text\n    Key                          Value\n    ---                          -----\n    tdx_check_debug              true\n    tdx_check_sept_ve_disable    true\n    tdx_mr_td                    XVYIDrnvjOC7r2vc2t7rBufFsKTR7Ba+hoqFqVO6vgxeVNAcjgUKVP4coHg3JTDS\n    tdx_rtmr0                    VXM6iiMfT6GTTiJLWQDfEyqvMFJuA9r6D8AC1HQEdC1b1X30lPxB254Z7vCuUTrb\n    tdx_rtmr1                    QKV//vF9S9irqJaav/3DvnzyrGVWSkr+zcstQoLjwZEbcd6pMIzCgOKvSybXW/ZV\n    tdx_rtmr2                    v7K8YLrNv3NasPi7EJQr0MXeg+72+VXiAJOUysspfl7M6xO1g5N2ucv0/a2zhTpZ\n    token_bound_cidrs            []\n    token_explicit_max_ttl       0s\n    token_max_ttl                0s\n    token_no_default_policy      false\n    token_num_uses               0\n    token_period                 0s\n    token_policies               []\n    token_ttl                    0s\n    token_type                   default\n    ```\n\n    \u003e [!IMPORTANT]\n    \u003e\n    \u003e The measurements on your VM will probably differ (which is the whole point).\n\n- Login with the attestation quote:\n\n    ```shell\n    make vault-login-tdx\n    ```\n\n    ```text\n    Success! You are now authenticated. The token information displayed\n    below is already stored in the token helper. You do NOT need to login\n    again. Future Vault requests will automatically use this token.\n\n    Key                  Value\n    ---                  -----\n    token                hvs.XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\n    token_accessor       XXXXXXXXXXXXXXXXXXXXXXXX\n    token_duration       768h\n    token_renewable      true\n    token_policies       [\"default\"]\n    identity_policies    []\n    policies             [\"default\"]\n    token_meta_tdx       test\n    ```\n\n    \u003e [!IMPORTANT]\n    \u003e\n    \u003e The CLI helper is using `/dev/tdx_guest` device that should be available\n    \u003e in the TD VM. Make sure necessary packages/drivers are installed. Also,\n    \u003e the permissions will most likely require `root` access.\n\n- Stir some things:\n\n    ```shell\n    apt-get upgrade --yes\n    reboot now\n    ```\n\n- Try to re-login:\n\n    ```shell\n    make vault-login-tdx\n    ```\n\n    ```text\n    Failed with error:\n\n    failed to fetch tdx-attested token: Error making API request.\n\n    URL: PUT https://127.0.0.1:8200/v1/auth/attest/tdx/test/login\n    Code: 400. Errors:\n\n    * failed to validate tdx quote\n    ```\n\n    At the same time, in Vault's logs:\n\n    ```text\n    failed to validate tdx quote: domain=test error=\"2 errors occurred: rtmr[1] mismatch; rtmr[2] mismatch\"\n    ```\n\n## Login workflow\n\n- Trusted domain is pre-configured with TOTP secret that's shared between the TD\n  and Vault.\n\n- Firstly, the TD will request a nonce from Vault by providing it with TOTP code\n  that is generated with the use of that shared secret.\n\n- If the TOTP code is valid and wasn't used before, Vault will issue a nonce\n  with limited validity period.\n\n- Upon receipt of the nonce, the TD will wait until the next TOTP code can be\n  generated, produce the attestation quote that incorporates the nonce issued by\n  Vault, and request the authentication token from Vault by providing it with\n  the 2nd TOTP code _and_ the attestation quote.\n\n- Vault then will verify the validity of the TOTP code, validate the\n  attestation quote, and verify that it's measurements do match the values\n  pre-configured in Vault.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflashbots%2Fvault-auth-plugin-attest","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fflashbots%2Fvault-auth-plugin-attest","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fflashbots%2Fvault-auth-plugin-attest/lists"}