enj / citadel Goto Github PK

It would be cool.

So it is easier to understand what KMS is doing.

We should have documentation. README.md is a good place to start.

Will allow the use of clevis + citadel on OSOS.

Create a small GRPC client that pretends to be Kube.

duh.

#27 made me realize that we are probably going to be adding more parameters to the command line to handle configuration. It might make more sense to just move to a single required parameter that points to the configuration file. TOML seems like a good choice for the format of the file.

We do not need any fancy versioning logic for citadel and it would make it easy for us to remove the vendor directory.

Currently, we return the ciphertext from AES-CBC. However, if we add other encryption modes in the future we will not be able to distinguish ciphertexts. We should store the mode with the ciphertext so that we can automatically distinguish which decryption mode to use.

Use https://github.com/miekg/pkcs11 and possibly the extended wrapper https://github.com/ThalesIgnite/crypto11 to add HSM support.

Would require having a very different mode:

1. The current command based KEK mode where we do the crypto
2. An HSM mode where we send the DEK/EDEK to the HSM for all crypto operations

Some basic setup, how to get it running (in whatever state it currently is in) against a kubernetes cluster (ex, oc cluster up?).

https://github.com/awnumar/memguard

• Include a nice description
• Use -- when printing arguments

We want unit tests.

Tests that actually run this with OpenShift

And update all the paths and such.

So we can actually tell where errors originate.

Would complement #15

Manually bumping git SHAs is painful.

This is so that clevis-kms can depend on it. Also, we need a release to package for Fedora.

Should reference citadel in some way:

https://en.wikipedia.org/wiki/Armored_citadel