Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/devigned/rust-key-vault

Rust implementation of the Azure Key Vault client API
https://github.com/devigned/rust-key-vault

Last synced: 9 months ago
JSON representation

Rust implementation of the Azure Key Vault client API

Awesome Lists containing this project

README 

          
[![Build Status](https://travis-ci.org/devigned/rust-key-vault.svg?branch=master)](https://travis-ci.org/devigned/rust-key-vault)

# Rust Key Vault

A Rust library and command line interface with all of the features provided by the Key Vault REST API



## Project Status

The library is at proof of concept state. Right now, it will only authenticate against Azure Active Directory via OAuth2 and request an asymmetric key from a specified vault. There is much work to be done.



## Features (coming soon unless otherwise stated)

### Keys (asymmetric cryptographic keys)

- Create (*implemented*): Allows a client to create a key in Azure Key Vault. The value of the key is generated by Azure Key Vault and stored and is not released to the client. Asymmetric (and in the future, Elliptic Curve and Symmetric) keys may be created in Azure Key Vault.

- Delete (*implemented*): Allows a client with sufficient permissions to delete a key from Azure Key Vault.

- List (*implemented*): Allows a client to list all keys in a given Azure Key Vault.

- Get (*implemented*): Allows a client to retrieve the public parts of a given key in an Azure Key Vault.

- Backup: Exports a key in a protected form.

- Restore: Imports a previously backed up key.

- Sign and Verify (*implemented*): Strictly, this operation is "sign hash" or “verify hash” as Azure Key Vault does not support hashing of content as part of signature creation. Applications should hash data to be signed locally and then request Azure Key Vault sign the hash. Verification of signed hashes is supported as a convenience operation for applications that may not have access to [public] key material; it is recommended that, for best application performance, verify operations are performed locally.

- Key Encryption / Wrapping (*implemented*): A key stored in Azure Key Vault may be used to protect another key, typically a symmetric content encryption key (CEK). When the key in Azure Key Vault is asymmetric, key encryption is used, for example RSA-OAEP and the WRAPKEY/UNWRAPKEY operations are equivalent to ENCRYPT/DECRYPT. When the key in Azure Key Vault is symmetric, key wrapping is used; for example AES-KW. The WRAPKEY operation is supported as a convenience for applications that may not have access to [public] key material; it is recommended that, for best application performance, WRAPKEY operations are performed locally.

- Encrypt and Decrypt (*implemented*): A key stored in Azure Key Vault may be used to encrypt or decrypt a single block of data, the size of which is determined by the key type and selected encryption algorithm. The Encrypt operation is provided for convenience for applications that may not have access to [public] key material; it is recommended that, for best application performance, encrypt operations be performed locally.



### Secrets (octet sequences with a maximum size of 10k bytes each):

- Create: Create new secrets

- Get: Read a secret

- List: List the secrets stored in a Key Vault

- Delete: Delete the secret



### Command Line Interface

- Key Examples:

 - Create: `> vault keys create  –ops “sign, verify, wrapKey, unwrapKey, encrypt, decrypt"`

Returns success or failure

 - Delete: `> vault keys delete `

Returns success or failure

 - List: `> vault keys list`

Returns a list of keys in the vault

 - Get: `> vault keys get `

Returns the public side and metadata of the key

 - Backup: `> vault keys backup `

Returns byte stream of key

 - Restore: `> vault keys restore `

Restores key from file

 - Sign: `> vault keys sign  `

Returns the signature

 - Verify: `> vault keys verify   `

Returns success or failure

 - Encryption: `> vault keys encrypt  `

Returns encrypted byte stream

 - Decryption: `> vault keys decrypt  `

Returns decrypted byte stream

 - Key Wrap: `> vault keys wrap  `

Returns byte stream of wrapped key

 - Key Unwrap: `> vault keys unwrap  `

Returns byte stream for unwrapped key

- Secrets Examples:

 - Create: `> vault secrets create  `

Returns success or failure

 - Delete: `> vault secrets delete `

Returns success or failure

 - Get: `> vault secrets get `

Returns the value of the secret

 - List: `> vault secrets list`

Returns the names of the secrets in the vault



### Executing Key Operation Example

From the project root run: `cargo run --example key_operations   `



## Installation



- Clone the repo

- Run `cargo build`

- Run `cargo test`



## Usage



See the key_operations example:

```rust

fn main() {

    let mut vault = String::new();

    let mut key = String::new();

    let mut secret = String::new();



    get_arg(1, &mut vault);

    get_arg(2, &mut key);

    get_arg(3, &mut secret);



    println!("vault: {:?}, key: {:?}, secret: {:?}", vault, key, secret);



    let mut client: AzureVault = Vault::new(&vault[..], &key[..], &secret[..]);



    display_current_keys_list(&mut client);



    delete_existing_key(&mut client, "mynewkey1");



    display_current_keys_list(&mut client);



    insert_new_key(&mut client, "mynewkey1");



    display_encrypt_decrypt(&mut client, "mynewkey1", "Hello World!".to_string());



    display_sign_verify(&mut client, "mynewkey1", "Hello World!".to_string());



    display_current_keys_list(&mut client);



    display_key_by_name(&mut client, "mynewkey1")

}

```



## Contributing



1. Fork it ( https://github.com/devigned/rust-key-vault/fork )

2. Create your feature branch (`git checkout -b my-new-feature`)

3. Commit your changes (`git commit -am 'Add some feature'`)

4. Push to the branch (`git push origin my-new-feature`)

5. Create a new Pull Request