A simple Toolkit to act as a GPG Creator / Signer / Verifier. This abstracts the use of the GPG and makes easy to sign / verify any GPG document using just a POST request.
- Getting Started
- Creating GPG Keys
- Setting up Keys
- Listing loaded private keys
- Unlock Private Key
- Signing Data
- Listing cached public keys
- Verifying Signatures
- Encrypting Data
- Decrypting Data
Agent-UI project has been moved to a separated repository. Check https://github.com/quan-to/agent-ui
These are the Environment Variables that you can set to manage the webserver:
PRIVATE_KEY_FOLDER
=> Folder to load / store encrypted private keys. (defaults to './keys')MAX_KEYRING_CACHE_SIZE
=> Maximum Number of Public Keys to cache (does not include Private Keys derived Public Keys). (defaults to 1000)SHOW_LINES
=> Show filename and lines in logsREQUESTID_HEADER
=> Header field to get request IDLOG_FORMAT
=> Change log format (default is pipe delimited, provide the valuejson
to log in JSON format)SKS_SERVER
=> SKS Server to fetch / put public keys. (defaults to 'http://pgp.mit.edu/')KEY_PREFIX
=> Prefix of the name of the keys to load (for example a key prefixtest_
will load any key namedtest_XXXX
).MODE
=> Mode of remote-signer (single_key
,default
)ON_DEMAND_KEY_LOAD
=> Do not attempt to load all keys from keybackend. Load them as needed (defaultsfalse
)ENABLE_SWAGGER
=> Enables swagger on/swagger
for Remote Signer. (defaults totrue
)SET_EXPOSED_SERVICES
=> Enable only services described byEXPOSED_SERVICES
EXPOSED_SERVICES
=> List of comma separated values with the services that should be exposed__internal
=>/__internal
endpoint (needed for cluster key password sharing)gpg
=>/gpg
endpointtests
=>/tests
endpointkeyRing
=>/keyRing
endpointsks
=>/sks
endpointfieldCipher
=>/fieldCipher
endpointpks
=>/pks
endpointagent
=>/agent
endpointagentAdmin
=>/agentAdmin
endpointgraphiql
=>/graphiql
and/assets
endpointsagent
=>/agent
endpoint
Remote Signer can use REDIS as a caching layer for GPG Keys and Tokens. If enabled, it also does some in-memory local caching with a smaller TTL. To enable, use the following environment variables:
REDIS_ENABLE
=>true
if should be enabled (default: false
)REDIS_TLS_ENABLED
=>true
if TLS is enabled (default: false
)REDIS_HOST
=> Hostname of the REDIS server (default: localhost:6379
)REDIS_USER
=> Username of the REDIS serverREDIS_PASS
=> Password of the REDIS serverREDIS_MAX_LOCAL_TTL
=> Max local object TTL (in golang duration format):default: 5m
REDIS_MAX_LOCAL_OBJECTS
=> Max local objects (default: 100
)REDIS_CLUSTER_MODE
=> If the redis host is running in cluster mode. (default: false
)
AGENT_TARGET_URL
=> Target URL for Quanto Agent (defaults tohttps://quanto-api.com.br/all
)AGENT_KEY_FINGERPRINT
=> Default Key FingerPrint for AgentAGENT_BYPASS_LOGIN
=> If the Login for using Quanto Agent should be bypassed. DO NOT USE THIS IN EXPOSED REMOTESIGNERAGENT_EXTERNAL_URL
=> External URL used by GraphiQL to access agent. Defaults to/agent
AGENT_FORCE_URL
=> If true, forces agent URL to be the value defined byAGENT_TARGET_URL
AGENTADMIN_EXTERNAL_URL
=> External URL used by GraphiQL to access agent admin. Defaults to/agentAdmin
READONLY_KEYPATH
=> If the keypath is readonly. Iftrue
then it will create a temporary folder in/tmp
and copy all keys to there so it can work over it.HTTP_PORT
=> HTTP Port that Remote Signer will run- Single Key Mode (
MODE=single_key
)SINGLE_KEY_PATH
=> Path for the key to load as private keySINGLE_KEY_PASSWORD
=> Password of the key to load as private key
MASTER_GPG_KEY_PATH
=> Master GPG Key PathMASTER_GPG_KEY_PASSWORD_PATH
=> Master GPG Key Password PathMASTER_GPG_KEY_BASE64_ENCODED
=> If the Master GPG Key is base64 encoded (default: true)SYSLOG_IP
=> IP of the Syslog Server to send Console Messages (defaults to '127.0.0.1') Does not apply for WindowsSYSLOG_FACILITY
=> Facility of the Syslog to use. (defaults to 'LOG_USER')
VAULT_STORAGE
=> If a Hashicorp Vault should be used to store private keys instead of the disk (defaultsfalse
)VAULT_ADDRESS
=> Hashicorp Vault URLVAULT_SKIP_VERIFY
=> Hashicorp Vault Skip Verify SSL Certs on ConnectionVAULT_ROOT_TOKEN
=> Hashicorp Vault Root TokenVAULT_TOKEN_TTL
=> Hashicorp Vault Token TTL (for example24h
, default is768h
. For more information see https://golang.org/pkg/time/#ParseDuration)VAULT_BACKEND
=> Hashicorp Vault Backend (for examplesecret
)VAULT_NAMESPACE
=> if a Hashicorp Vault Namespace to use (appended to backend, for example if namespace isremote-signer
the keys are stored undersecret/remote-signer
)
ENABLE_DATABASE
=> Enables using database for Key Store (default: false
)DATABASE_DIALECT
=> Dialect of the Database connection (postgres
,rethinkdb
. Defaults: none)CONNECTION_STRING
=> Connection string for the database.DATABASE_TOKEN_MANAGER
=> Use database connection to manage tokensDATABASE_AUTH_MANAGER
=> Use database connection to manage agent logins
RethinkDB Usage is deprecated and discouraged
ENABLE_RETHINKDB_SKS
=> Enables Internal SKS Server using RethinkDB (default: false)- Use
DATABASE_DIALECT=rethinkdb
instead
- Use
RETHINK_TOKEN_MANAGER
=> If a TokenManager using RethinkDB Should be used (defaults tofalse
, uses MemoryTokenManager) [Requires ENABLE_RETHINK_SKS]- Use
DATABASE_TOKEN_MANAGER
instead
- Use
RETHINK_AUTH_MANAGER
=> If a AuthManager using RethinkDB Should be used (defaults tofalse
, uses JSONAuthManager) [Requires ENABLE_RETHINK_SKS]- Use
DATABASE_AUTH_MANAGER
instead
- Use
RETHINKDB_HOST
=> Hostname of RethinkDB Server (default: "rethinkdb")RETHINKDB_USERNAME
=> Username of RethinkDB Server (default "admin")RETHINKDB_PASSWORD
=> Password of RethinKDB ServerRETHINKDB_PORT
=> Port of RethinkDB Server (default 28015)DATABASE_NAME
=> RethinkDB Database Name (default "remote_signer")