Keyhouse organizes its storage into composable layers, all of which must implement the Store trait.
DB Engines provide a layer implementation, and then other layers can compose and modify those underlying layers to provide a powerful storage engine to suit different needs.
- ETCD (https://etcd.io/)
- Internal/memory store (for testing)
- Cache: Writethrough eventually-consistent cache
- Mask: Provides a read-only mask for when Keyhouse is in readonly mode.
- ETCD
- Cache
- Mask
ETCD is the primary store for Keyhouse. Other backend store may be implemented in the future.
Production deployments of Keyhouse should have SPIFFE authentication and authorization. To shim support into ETCD, we can use spire-proxy to handle mTLS and SPIFFE authorization.
This prefix stores JSON blobs corresponding to specific customer keys. See CustomerKey struct for structure.
Note that all sensitive data (keys, seeds, intermediate keys) is encrypted at rest in ETCD.
This prefix stores alias lookups for key id. The contents of each entry in ETCD are customer key ids.
This prefix stores JSON blobs corresponding to specific keyrings. See Keyring struct for structure.
This prefix stores JSON blobs corresponding to specific secrets under a specific customer key. See Secret struct for structure.
Secrets are encrypted at rest in ETCD by a data key generated by their corresponding customer key.