2 #+DESCRIPTION: Unix key management library
4 The point of this library is to provide tools for
/key management/ 5 needs on Unix platforms. Our intent is to wrap well-built system
6 libraries such as Linux keyutils (keyctl) and provide simple safe APIs
7 for Common Lisp and Rust.
9 This library is opinionated about the algorithms it uses and is not a
12 For an introduction to the key management techniques used, check
[[https://rtfm.co.ua/en/what-is-linux-keyring-gnome-keyring-secret-service-and-d-bus/][here]].
14 - [[https://blog.cloudflare.com/the-linux-kernel-key-retention-service-and-why-you-should-use-it-in-your-next-application/][Cloudflare - The Linux Kernel Key Retention Service and why you should use it in your next application]] 17 #+begin_src shell :noeval t :exports code 18 sudo pacman -Sy keyutils
21 The library we are most keen on is
[[https://man7.org/linux/man-pages/man7/keyutils.7.html][keyutils]] from the Linux Kernel
22 (
[[https://github.com/Distrotech/keyutils/blob/master/keyutils.h][git]]). It provides utilities for working with cryptographic keys and
23 uses syscalls to do the dirty work in kernel space. It has a simple
24 API and is supported on Linux/Darwin. Some Rust bindings are on
25 [[https://crates.io/crates/keyutils][crates.io]], no Common Lisp bindings (yet).
27 It's a pretty bare-bones interface but is easy to embed in
28 applications. It's just 3 syscalls:
=add_key=,
=request_key=,
31 The utility program provided is called
=keyctl= which is useful for
32 testing and shell scripting.
34 #+begin_src shell :results silent :exports code 35 keyctl add user foo bar @s
40 The
[[https://specifications.freedesktop.org/secret-service/latest/][secret-service]] API is the brain-child of GNOME Keyring dev Stef
41 Walter and KWallet's Michael Leupold. User-space general-purpose
42 secrets management - needs to be implemented by a system daemon. Linux
43 only and requires D-Bus.
45 There are a handful of apps that support the client API -
46 gnome-keyring, KeePassXC, etc.
48 D-Bus is a real PITA so we may not go this route.
51 [[https://developer.apple.com/documentation/security/keychain_services/][keychain-services]] serve a similar purpose to secret-service. It is