https://github.com/letsencrypt/sunlight-secretmanager
https://github.com/letsencrypt/sunlight-secretmanager
Last synced: 4 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/letsencrypt/sunlight-secretmanager
- Owner: letsencrypt
- License: mpl-2.0
- Created: 2024-10-28T17:52:15.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2025-08-09T00:07:12.000Z (6 months ago)
- Last Synced: 2025-08-09T01:18:11.957Z (6 months ago)
- Language: Go
- Size: 552 KB
- Stars: 0
- Watchers: 6
- Forks: 0
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# sunlight-secretmanager
sunlight-secretmanager is a command-line tool to manage a
[Sunlight](https://sunlight.dev/) CT Log's private key material.
All CT logs have a private key which they use to create Signed Certificate
Timestamps (SCTs) and Signed Tree Heads (STHs). Sunlight does not take this
private key as input directly. Instead, its configuration requires two file
paths:
- A seed file containing at least 32 bytes of random data, from which the log's
ECDSA P-256 key will be derived; and
- A PEM file containing the corresponding ECDSA P-256 public key.
The purpose of sunlight-secretmanager is to authenticate to AWS Secrets Manager,
retrieve a stored seed, use that seed to derive the corresponding pubkey, and
write both files to disk in a tmpfs. It knows what seed to retrieve and where to
write the output files by parsing the same config file which configures the
Sunlight log itself.
If it successfully retrieves a secret from AWS Secrets Manager but that secret
is empty, it will generate a new seed and save it back to AWS before proceeding.
This allows for seamless setup of new log shards simply by adding them to
Terraform.
## Usage
Sign in the AWS SDK so it populates your environment with the appropriate
values, and then:
```shell
$ sunlight-secretmanager -config /path/to/sunlight/config.yml
```