2 unstable releases
0.2.0 | Dec 30, 2023 |
---|---|
0.1.1 | Dec 25, 2023 |
0.1.0 |
|
#712 in HTTP server
Used in chamber-cli
38KB
961 lines
chamber: A self-hostable SecretOps service.
Do you have NIH syndrome? Me too, which is why I made this web service so I can avoid the complexity of having to use Hashicorp Vault.
Usage
The easiest way to start using Chamber is via the CLI. You will need to install it using the following:
cargo install chamber-cli
You'll want to then set the URL of your Chamber instance using chamber website set [VALUE]
.
Initially when you load up the web service, a root key will be auto generated for you that you can find in the logs. You will need to use this key to unseal the web service using chamber unseal [VALUE]
.
Once this is done, you can then generate a chamber.bin
file using chamber keygen
and use chamber upload
to upload the new keyfile to the web service to reset your seal key (and cryptographic key)!
Deployment to Shuttle
To deploy this as a Shuttle service, run the following:
cargo shuttle init --from joshua-mo-143/chamber --subfolder chamber-server
You will probably want to use chamber keygen
to generate a new keyfile and include it in your project root. This will allow you to keep your keyfile persistent across deployments. shuttle-persist
support is planned to make it easier to persist your keyfiles.
Dockerfile Deployment
A dockerfile has been added for your convenience.
The dockerfile takes the DATABASE_URL
and PORT
environment variables.
Features
- Store your secrets in a self-hostable web server
- Lock and unlock your instance using root key
- Encrypt your secrets using AES-256-GCM
- IAM system that allows you to lock secrets by role whitelist and power level
- Categorise your secrets easily using tags
- Postgres backend (multiple backends to be supported in future)
- Written in Rust
Future short-term features
- Secrets will be encrypted and signed
Long(er) Term Roadmap
- Logging/tracing
- SDK
How Chamber works
There are several moving parts to Chamber:
- A web server that has can be unlocked and locked as required
- A command-line interface that serves as the current primary way to interact with a Chamber server
- The core (which holds methods for storing data, encryption and decryption, and other misc things)
How secure is Chamber?
Please refer to the SECURITY.md file for a full explanation.
For the TL;DR: This service is reasonably secure if you are using it for small scale projects. Work is being done to enhance the security as outlined in the aforementioned file. Expect the API to be unstable.
Dependencies
~31–44MB
~830K SLoC