{"id":26397386,"url":"https://github.com/thalesgroup/ciphertrust-kms-spire-plugin","last_synced_at":"2025-08-05T16:28:56.541Z","repository":{"id":227120590,"uuid":"768510709","full_name":"ThalesGroup/ciphertrust-kms-spire-plugin","owner":"ThalesGroup","description":"This repository contains a key manager server plugin for SPIRE to delegate key management tasks to Thales CipherTrust KMS.","archived":false,"fork":false,"pushed_at":"2024-04-19T13:19:13.000Z","size":31005,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2024-06-21T14:14:48.222Z","etag":null,"topics":["ciphertrust","keymanager","spire","thales"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ThalesGroup.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-03-07T08:11:23.000Z","updated_at":"2024-03-11T16:45:58.000Z","dependencies_parsed_at":"2024-06-21T13:10:05.543Z","dependency_job_id":null,"html_url":"https://github.com/ThalesGroup/ciphertrust-kms-spire-plugin","commit_stats":null,"previous_names":["thalesgroup/ciphertrust-kms-spire-plugin"],"tags_count":1,"template":false,"template_full_name":"ThalesGroup/template-project","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fciphertrust-kms-spire-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fciphertrust-kms-spire-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fciphertrust-kms-spire-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThalesGroup%2Fciphertrust-kms-spire-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ThalesGroup","download_url":"https://codeload.github.com/ThalesGroup/ciphertrust-kms-spire-plugin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":244031130,"owners_count":20386534,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ciphertrust","keymanager","spire","thales"],"created_at":"2025-03-17T12:17:35.611Z","updated_at":"2025-03-17T12:17:36.224Z","avatar_url":"https://github.com/ThalesGroup.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"[![Go Report Card](https://goreportcard.com/badge/github.com/ThalesGroup/ciphertrust-kms-spire-plugin)](https://goreportcard.com/report/github.com/ThalesGroup/ciphertrust-kms-spire-plugin)\r\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://github.com/ThalesGroup/ciphertrust-kms-spire-plugin/blob/main/LICENSE)\r\n# SPIRE Ciphertrust KMS Plugin\r\n\r\nThis repository contains an external Key Manager plugin using Thales CipherTrust KMS for [SPIRE](https://github.com/spiffe/spire). \r\n\r\n* Thales CipherTrust Manager is an independent 3rd party tool dedicated to efficiently managing keys on behalf of SPIRE.\r\n* It enables the initial enrollment of the SPIRE server architecture.\r\n* CipherTrust KMS provides the Root Key and the keys identifiers.\r\n\r\n## Menu\r\n\r\n- [Prerequisite](#prerequisite)\r\n- [Quick start](#quick-start)\r\n- [How it Works](#how-it-works)\r\n- [Building](#building)\r\n- [Testing](#testing)\r\n- [License](#license)\r\n- [Contributing](#contributing)\r\n- [Security Vulnerability Reporting](#security-vulnerability-reporting)\r\n\r\n## Demo\r\n\r\nHere's a quick demo that shows how this plugin looks when run:\r\n![Plugin in action](assets/ciphertrust-plugin.gif)\r\n\r\nThe demo commands can be found on the [SPIRE getting started](https://spiffe.io/docs/latest/try/getting-started-linux-macos-x/)\r\n\r\n## Get started\r\n\r\n### Prerequisite\r\n\r\n#### CipherTrust Manager Setup\r\n\r\nThere are 3 options to setup a CipherTrust Manager instance.\r\n\r\n1. [Locally using Virtual Box](https://www.youtube.com/watch?v=MNFgVhgMLB4\u0026list=PLw3mEF7reqIN7TKqwUoCTM9dkFA9xer_0\u0026index=8)\r\n\r\n2. [Host on Azure](https://www.youtube.com/watch?v=2TcaAjfqaEE\u0026list=PLw3mEF7reqIM6TdatdDSd5G_tvsNVqNhx)\r\n\r\n3. [As a service](https://cpl.thalesgroup.com/encryption/data-security-platform/ciphertrust-encryption-key-management-service#start)\r\n\r\n### Quick Start\r\n\r\nBefore starting, create a running SPIRE deployment and add the following configuration to the agent and server:\r\n\r\n### Server Configuration\r\n\r\n```hcl\r\n KeyManager \"ciphertrust_kms\" {\r\n\tplugin_cmd = \"/path/to/plugin_cmd\"              \u003c- a binary is provided in the bin folder\r\n\tplugin_checksum = \"sha256 of the plugin binary\" \u003c- the hash is provided in the bin folder\r\n\tplugin_data = {\r\n         key_metadata_file = \"metadata/key-spire-id\"\r\n         ctm_url = \"https://\u003cCipherTrustManager-instance\u003e\"\r\n         username = \"\u003cuname\u003e\"\r\n         password = \"\u003cpwd\u003e\"\r\n        }\r\n}\r\n```\r\n\r\nDetails of the plugin data\r\n\r\n| key               | type   | required | description                                                                  | default |\r\n| :---------------- | :----- | :------- | :--------------------------------------------------------------------------- | :------ |\r\n| key_metadata_file | string | Yes      | The directory to the spireID metadata, it will be used as the keys unique ID | None    |\r\n| ctm_url           | string | Yes      | The address to your CipherTrustManager (local or remote)                     | None    |\r\n| username          | string | Yes      | Username needed in exchange for a jwt token to access the CTM API            | None    |\r\n| password          | string | Yes      | Password needed in exchange for a jwt token to access the CTM API            | None    |\r\n\r\n#### Directory Configuration\r\n\r\nFor this plugin to work, all field must be valid and the directory containing the spire metadata must exists prior to running spire.\r\n\r\n### How it Works\r\n\r\nThe plugin uses CipherTrust Key Manager to bootstrap the SPIRE Server identity and Signs SVIDs. The plugin operates as follows:\r\n\r\n1. Fetches keys from CipherTrust Manager if any\r\n2. Generates keys Pairs for SVIDs bundles (x509 and JWK)\r\n3. Signs SVIDs when needed\r\n\r\n### Building\r\n\r\nTo build this plugin on Linux, run `make build`.\r\nThe plugin binary will be placed in the `bin` folder\r\n\r\n**Important note**\r\n* `make build` will automatically parse the code to detect any anomaly.\r\n* Prior runing the `make build`, install the [staticcheck](https://staticcheck.dev/docs/getting-started/), gofmt \u0026 go vet (go analysis tools) and the [goreportcard](https://github.com/gojp/goreportcard) tool.\r\n* if no anomaly found, the binary and its hash will be generated in the `bin` folder.\r\n\r\n```bash\r\ngofmt...\r\nRunning staticcheck...\r\nRunning go vet...\r\nRunning goreportcard\r\ngoreportcard-cli -v\r\n```\r\n\r\n### Testing\r\n\r\n- Functional plugin testing is located in `tests/ciphertrust_spire_plugin_test.go`\r\n- Unit testing are located in `pkg/ciphertrustkms/tests`\r\n\r\nPrior to the functional testing make sure you have a valid CipherTrust Manager instance running and update the following variables from `tests/ciphertrust_spire_plugin_test.go`:\r\n\r\n```go\r\nctmService        = \"https://\u003clocal/remote IP/name\u003e\"\r\nusername          = \"user\"\r\npwd               = \"pwd\"\r\n ```\r\n\r\nPrior to the unit testing make sure you have a valid CipherTrust Manager instance running and update the following variables from `pkg/ciphertrustkms/tests/cihpertrustkms_test.go`:\r\n\r\n```go\r\nctmService        = \"https://\u003clocal/remote IP/name\u003e\"\r\nusername          = \"user\"\r\npwd               = \"pwd\"\r\n ```\r\n\r\n## Contributing\r\n\r\nIf you are interested in contributing to the the CipherTrust Spire plugin project, start by reading the [Contributing guide](/CONTRIBUTING.md).\r\n\r\n## License\r\n\r\nPlease read the [LICENSE](LICENSE) file.\r\n\r\n## Security Vulnerability Reporting\r\n\r\nIf you believe you have identified a security vulnerability in this project, please send email to the project\r\nteam at security@opensource.thalesgroup.com, detailing the suspected issue and any methods you've found to reproduce it.\r\n\r\nPlease do NOT open an issue in the GitHub repository, as we'd prefer to keep vulnerability reports private until\r\nwe've had an opportunity to review and address them.\r\n\r\nPlease read the [SECURITY](SECURITY) file.\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthalesgroup%2Fciphertrust-kms-spire-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthalesgroup%2Fciphertrust-kms-spire-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthalesgroup%2Fciphertrust-kms-spire-plugin/lists"}