crypto-vault

Crypto Vault

Secure Key and Secrets Management

A comprehensive cryptographic key and secrets management system providing hardware-backed storage, automatic rotation, and integration with all SecureExecutionEnvironment components.

Overview

crypto-vault provides enterprise-grade secrets management with support for hardware security modules (HSM), Trusted Platform Modules (TPM), and secure enclaves. It ensures that cryptographic keys, passwords, certificates, and other sensitive data are protected both at rest and in transit.

Features

Core Capabilities

• Hardware-Backed Storage: TPM 2.0, HSM, Intel SGX support
• Key Management: Generation, storage, rotation, revocation
• Secrets Storage: Encrypted storage for passwords, tokens, API keys
• Certificate Management: X.509 certificate lifecycle
• Key Derivation: HKDF, PBKDF2, Argon2 support
• Encryption Services: Encrypt/decrypt data with managed keys
• Signing Services: Digital signatures and verification
• Access Control: Fine-grained permission model

Advanced Features

• Automatic Key Rotation: Policy-based rotation schedules
• Audit Trail: Comprehensive access logging
• Key Versioning: Multiple versions of keys
• Key Backup: Encrypted key escrow
• Namespace Isolation: Multi-tenant support
• Sealed Secrets: Bind secrets to specific system states
• Integration Hooks: Works with deterministic-executor
• High Availability: Distributed vault support

Architecture

┌─────────────────────────────────────────────┐
│            Application Layer                │
│  (Applications using crypto-vault)          │
└─────────────────┬───────────────────────────┘
                  │
┌─────────────────▼───────────────────────────┐
│     Crypto Vault API                        │
│  - Key Management                           │
│  - Secret Storage                           │
│  - Encryption Services                      │
│  - Signing Services                         │
└─────────────────┬───────────────────────────┘
                  │
┌─────────────────▼───────────────────────────┐
│     Storage Backend                         │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐   │
│  │   TPM    │ │   HSM    │ │  Secure  │   │
│  │  2.0     │ │ (PKCS11) │ │ Enclave  │   │
│  └──────────┘ └──────────┘ └──────────┘   │
└─────────────────────────────────────────────┘

Installation

As a Git Submodule

git submodule add https://github.com/navinBRuas/_SecureExecutionEnvironment.git vendor/secure-execution
cd vendor/secure-execution/crypto-vault
make

Quick Start

Basic Usage (C)

#include <crypto-vault/vault.h>

int main() {
    // Initialize vault
    vault_context_t *vault = vault_new();
    
    // Configure backend (TPM, HSM, or software)
    vault_config_t config = {
        .backend = VAULT_BACKEND_TPM,
        .storage_path = "/var/lib/crypto-vault"
    };
    
    vault_set_config(vault, &config);
    
    // Generate a key
    vault_key_t *key = vault_generate_key(vault, 
        "my-app-key", VAULT_KEY_TYPE_AES_256);
    
    // Encrypt data
    const uint8_t *plaintext = (uint8_t*)"Secret data";
    uint8_t *ciphertext;
    size_t ciphertext_len;
    
    vault_encrypt(vault, key, plaintext, 11, 
                  &ciphertext, &ciphertext_len);
    
    // Decrypt data
    uint8_t *decrypted;
    size_t decrypted_len;
    vault_decrypt(vault, key, ciphertext, ciphertext_len,
                  &decrypted, &decrypted_len);
    
    // Clean up
    vault_key_free(key);
    vault_free(vault);
    
    return 0;
}

Secrets Management

// Store a secret
vault_store_secret(vault, "db-password", 
    (uint8_t*)"P@ssw0rd!", 9);

// Retrieve secret
uint8_t *secret;
size_t secret_len;
vault_get_secret(vault, "db-password", &secret, &secret_len);

// Delete secret
vault_delete_secret(vault, "db-password");

Certificate Management

// Generate certificate
vault_cert_t *cert = vault_generate_cert(vault,
    "my-service",
    "CN=my-service.example.com",
    3650  // 10 years validity
);

// Sign data with certificate
vault_sign_with_cert(vault, cert, data, data_len, &signature);

// Verify signature
bool valid = vault_verify_signature(vault, cert, 
    data, data_len, signature);

API Reference

Context Management

vault_new()

Create a new vault context.

vault_free(vault)

Free vault context.

vault_set_config(vault, config)

Configure vault parameters.

Key Management

vault_generate_key(vault, name, type)

Generate a new cryptographic key.

vault_get_key(vault, name)

Retrieve an existing key.

vault_delete_key(vault, name)

Delete a key.

vault_rotate_key(vault, name)

Rotate a key to a new version.

vault_list_keys(vault, keys, count)

List all keys.

Encryption/Decryption

vault_encrypt(vault, key, plaintext, len, ciphertext, out_len)

Encrypt data with a key.

vault_decrypt(vault, key, ciphertext, len, plaintext, out_len)

Decrypt data with a key.

Secrets Storage

vault_store_secret(vault, name, secret, len)

Store a secret securely.

vault_get_secret(vault, name, secret, len)

Retrieve a secret.

vault_delete_secret(vault, name)

Delete a secret.

Signing

vault_sign(vault, key, data, len, signature, sig_len)

Create digital signature.

vault_verify(vault, key, data, len, signature, sig_len)

Verify digital signature.

TPM Operations

vault_tpm_seal(vault, data, pcr_values)

Seal data to TPM PCR values.

vault_tpm_unseal(vault, sealed_data)

Unseal TPM-sealed data.

Configuration

crypto-vault:
  # Backend configuration
  backend:
    type: tpm  # tpm, hsm, sgx, software
    device: /dev/tpm0
    
  # Storage
  storage:
    path: /var/lib/crypto-vault
    encrypted: true
    
  # Key rotation
  rotation:
    enabled: true
    default_period: 90d
    
  # Access control
  access:
    require_authentication: true
    audit_all_access: true
    
  # High availability
  ha:
    enabled: false
    replicas: 3

Integration Examples

With Deterministic Executor

// Seal secrets to deterministic execution state
vault_seal_to_execution_state(vault, secret, 
    deterministic_hash);

// Secrets only unsealable in same execution state

With Process Sandbox

// Provide secrets only to sandboxed processes
sandbox_config_t config = sandbox_config_new();
vault_context_t *vault = vault_new();

sandbox_config_set_vault(&config, vault);
sandbox_config_grant_secret(&config, "api-key");

// Sandboxed process can only access granted secrets

Building

Requirements

• Linux kernel 5.0+
• libtss2-dev (for TPM support)
• libp11-dev (for PKCS#11/HSM support)
• OpenSSL 3.0+

Build Commands

make
sudo make install

License

MIT License - See LICENSE

Standalone Installation

git submodule add https://github.com/navinBRuas/_SecureExecutionEnvironment.git vendor/secure-execution

Use vendor/secure-execution/crypto-vault for local builds and integration.

Usage

Follow the C examples above and module headers for API details.

Configuration

Configure vault backend, storage, rotation, and access policies via the YAML config and vault_config_t.

Version

Current version: 0.1.0 (see VERSION.md).

Changelog

See CHANGELOG.md for release history.