changelog shortlog graph tags branches changeset files revisions annotate raw help

Mercurial > core / rust/lib/krypt/readme.org

changeset 698: 96958d3eb5b0
parent: 55fbe0e45b62
author: Richard Westhaver <ellis@rwest.io>
date: Fri, 04 Oct 2024 22:04:59 -0400
permissions: -rw-r--r--
description: fixes 
     1 #+TITLE: krypt
     2 #+DESCRIPTION: Unix key management library
     3 * Overview
     4 The point of this library is to provide tools for /key management/
     5 needs on Unix platforms. Our intent is to wrap well-built system
     6 libraries such as Linux keyutils (keyctl) and provide simple safe APIs
     7 for Common Lisp and Rust.
     8 
     9 This library is opinionated about the algorithms it uses and is not a
    10 general purpose tool.
    11 
    12 For an introduction to the key management techniques used, check [[https://rtfm.co.ua/en/what-is-linux-keyring-gnome-keyring-secret-service-and-d-bus/][here]].
    13 
    14 - [[https://blog.cloudflare.com/the-linux-kernel-key-retention-service-and-why-you-should-use-it-in-your-next-application/][Cloudflare - The Linux Kernel Key Retention Service and why you should use it in your next application]]
    15 * System Libraries
    16 ** keyutils
    17 #+begin_src shell :noeval t :exports code
    18   sudo pacman -Sy keyutils
    19 #+end_src
    20 
    21 The library we are most keen on is [[https://man7.org/linux/man-pages/man7/keyutils.7.html][keyutils]] from the Linux Kernel
    22 ([[https://github.com/Distrotech/keyutils/blob/master/keyutils.h][git]]). It provides utilities for working with cryptographic keys and
    23 uses syscalls to do the dirty work in kernel space. It has a simple
    24 API and is supported on Linux/Darwin. Some Rust bindings are on
    25 [[https://crates.io/crates/keyutils][crates.io]], no Common Lisp bindings (yet).
    26 
    27 It's a pretty bare-bones interface but is easy to embed in
    28 applications. It's just 3 syscalls: =add_key=, =request_key=,
    29 =keyctl=.
    30 
    31 The utility program provided is called =keyctl= which is useful for
    32 testing and shell scripting.
    33 
    34 #+begin_src shell :results silent :exports code
    35   keyctl add user foo bar @s
    36   keyctl list @s
    37 #+end_src
    38 
    39 ** secret-service
    40 The [[https://specifications.freedesktop.org/secret-service/latest/][secret-service]] API is the brain-child of GNOME Keyring dev Stef
    41 Walter and KWallet's Michael Leupold. User-space general-purpose
    42 secrets management - needs to be implemented by a system daemon. Linux
    43 only and requires D-Bus.
    44 
    45 There are a handful of apps that support the client API -
    46 gnome-keyring, KeePassXC, etc.
    47 
    48 D-Bus is a real PITA so we may not go this route.
    49 
    50 ** keychain
    51 [[https://developer.apple.com/documentation/security/keychain_services/][keychain-services]] serve a similar purpose to secret-service. It is
    52 MacOS only.