KMS的几个开源实现汇总

搜索关键词

open source key management server

“key management server”

ranger kms

rotate keys decrypting

KMIP

集中密钥工作流程

Centralized Encryption Key Management Server (KMS) | Townsend Security

 

Keywhiz

Keywhiz

Gitee 极速下载/keywhiz - Gitee.com

Keywhiz makes managing secrets easier and more secure. Keywhiz servers in a cluster centrally store secrets encrypted in a database. Clients use mutually authenticated TLS (mTLS) to retrieve secrets they have access to. Authenticated users administer Keywhiz via CLI. To enable workflows, Keywhiz has automation APIs over mTLS.

Keywhiz 是管理和分配隐私信息的系统,适用于面向服务的架构(SOA)。

每个组织的服务或者系统都要求有密码或者其他的隐私信息:

TLS 认证或者密钥

GPG 密钥

API tokens

数据库证书

通常是把隐私信息放到配置文件,代码的后面,还有就是复制文件放到服务器以外的地方。前者容易泄漏,后者很难追踪。

Keywhiz 提供了一个简单而又安全的方式来管理这些隐私信息。Keywhiz 服务器在集中的集群中存储这些信息,数据库加密后存储。客户端使用TLS(mTLS) 来访问那些信息。认证用户通过 CLI 或者 web app UI 管理Keywhiz。为了使用工作流,Keywhiz 基于 mTLS自动化 APIs,支持简单的隐私信息生成插件。

 

Vault

Vault Tutorials - HashiCorp Learn

HashiCorp Vault作为集中化的私密信息管理工具,具有以下特点:

存储私密信息。 不仅可以存放现有的私密信息,还可以动态生成用于管理第三方资源的私密信息。所有存放的数据都是加密的,任何动态生成的私密信息都有租期,并且到期会自动回收。

滚动更新密钥。用户可以随时更新存放的私密信息。Vault提供了加密即服务(encryption-as-a-service)的功能,可以随时将密钥滚动到新的密钥版本,同时保留对使用过去密钥版本加密的值进行解密的能力。 对于动态生成的秘密,可配置的最大租赁寿命确保密钥滚动易于实施。

审计日志。 保管库存储所有经过身份验证的客户端交互的详细审核日志:身份验证,令牌创建,私密信息访问,私密信息撤销等。 可以将审核日志发送到多个后端以确保冗余副本。

另外,HaishiCorp Vault提供了多种方式来管理私密信息。用户可以通过命令行、HTTP API等集成到应用中来获取私密信息。



作者:ThoughtWorks
链接:https://www.jianshu.com/p/f34bf6ee3ac3
来源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。

Hashicorp vault 简明配置教程 - 知乎 Hashicorp vault 简明配置教程

【数据安全】采用HashiCorp Vault :第零天 | 首席架构师

KLMS  KMIP

KLMS over KMIP is good and easy to use solution for key management. This is an open source solution written in Java. See the below link for reference. IBM Developer

The package named stubInterface will contains all the api required to use KLMS over KMIP.

KLMS: Key Lifecycle Management Systems

KMIP: Key Management Interoperability Protocol

 

PyKMIP

https://github.com/OpenKMIP 开源实现

PyKMIP is a Python implementation of the Key Management Interoperability Protocol (KMIP), an OASIS communication standard for the management of objects stored and maintained by key management systems. KMIP defines how key management operations and operation data should be encoded and communicated between client and server applications. Supported operations include the full CRUD key management lifecycle, including operations for managing object metadata and for conducting cryptographic operations. Supported object types include:

symmetric/asymmetric encryption keys

passwords/passphrases

certificates

opaque data blobs, and more

Docker Hub

客户端的几个命令例子

   .. py:method:: create(algorithm, length, operation_policy_name=None, name=None, cryptographic_usage_mask=None)

        Create a symmetric key on a KMIP appliance.

    .. py:method:: create_key_pair(algorithm, length, operation_policy_name=None, public_name=None, public_usage_mask=None, private_name=None, private_usage_mask=None)

        Create an asymmetric key pair on a KMIP appliance.

    .. py:method:: decrypt(data, uid=None, cryptographic_parameters=None, iv_counter_nonce=None)

        Decrypt data using the specified decryption key and parameters.

    .. py:method:: delete_attribute(unique_identifier=None, **kwargs)

        Delete an attribute from a managed object.

    .. py:method:: encrypt(data, uid=None, cryptographic_parameters=None, iv_counter_nonce=None)

        Encrypt data using the specified encryption key and parameters.

    .. py:method:: get(uid=None, key_wrapping_specification=None)

        Get a managed object from a KMIP appliance.

    .. py:method:: get_attributes(uid=None, attribute_names=None)

        Get the attributes associated with a managed object.

keytransparency

docs/design.md · mirrors_google/keytransparency - Gitee.com

 

Scenarios

Key Transparency ensures, with mathematical certainty, that account owners can see all the public keys that have been used to authenticate their account or send them messages.

This assured-system architecture is useful in a variety of scenarios from end-to-end encryption to enterprise account management. Any scenario that involves authenticating users with public keys (eg. U2F) can significantly benefit from Key Transparency.

Scenario

Description

Encrypted Messaging

Key Transparency is ideal for user friendly end-to-end encrypted messaging. By making key management analogous to device management, users do not have to learn any new concepts, and no additional UI beyond device management is needed. Key management fits seamlessly into existing account life-cycle flows, and users are protected without requiring them to take additional actions.

Encrypted Storage

Key Transparency can also be used to securely rotate the keys used for encrypted storage systems such as upspin.io

PGP Encrypted Email

Key Transparency was initially built to solve the problem of public key lookup for PGP email encryption. KT has the potential to make PGP significantly more usable than the existing web-of-trust model.

Insider Risk

Key Transparency removes the ability of privileged users to modify other user accounts without detection. This protects the privileged user from manipulation and ensures system safety even if the privileged user's account is compromised.

Post Compromise Security Audit

By relying on mathematics, Key Transparency significantly reduces the trusted computing base (TCB) of an authentication system. This makes reasoning about the security properties of an enterprise under attack much easier. The system administrator can have certainty that the authentication records for all accounts are intact, and that users will be able to quickly correct any account compromise.

Cloud Adoption

By employing a zero-trust architecture, Key Transparency provides efficient evidence to relying parties that the authentication system is operating correctly on an ongoing basis. This can increase cloud product adoption by removing one system from the list of systems that are difficult for customers to audit and control.

使用场景例子upspin.io

 Upspin architecture · Upspin

To illustrate the relationship between these components, here is the sequence of requests a client exchanges with the servers to read the file augie@upspin.io/Images/Augie/large.jpg:

 

The client asks the key server for the record describing the owner of the file, which is the user name at the beginning of the file name (augie@upspin.io). The key server’s response contains the name of the directory server holding that user’s tree (dir.upspin.io) and Augie’s public key.

The client asks the directory server for the directory entry describing the file. The response contains a list of block references, which include the name of the store server (store.upspin.io).

The client can then ask the store server for each of the blocks, pipelining the requests for efficiency.

The client decrypts the blocks (using Augie’s public key) and concatenates them to assemble the file.

Upspin Security · Upspin

As far as Upspin is concerned, a user is an email address, authenticated by an elliptic curve key pair used for signing and encrypting. We anticipate that the user will rotate keys over time, but we also assume that they will retain all old key pairs for use in decrypting old content, and will accept losing that access to that content if they lose all copies of their keys.

密钥轮换

upspin cmd operation

public,secret.upspinkey

secret2.upspinkey

keyserver

signatures

wraps

initial key

k1

-

k1

k1, -

k1

new key

k2

k1

k1

k1, -

k1

countersign

k2

k1

k1

k2, k1

k1

rotate

k2

k1

k2

k2, k1

k1

share -fix

k2

k1

k2

k2, k1

k2

K8Skms

使用 KMS 驱动进行数据加密 | Kubernetes

KMS 加密驱动使用封套加密模型来加密 etcd 中的数据。 数据使用数据加密密钥(DEK)加密;每次加密都生成一个新的 DEK。 这些 DEK 经一个密钥加密密钥(KEK)加密后在一个远端的 KMS 中存储和管理。KMS 驱动使用 gRPC 与一个特定的 KMS 插件通信。这个 KMS 插件作为一个 gRPC 服务器被部署在Kubernetes 主服务器的同一个主机上,负责与远端 KMS 的通信。

Hadoop KMS / Ranger KMS

https://www.ibm.com/support/knowledgecenter/en/SSPT3X_4.2.5/com.ibm.swg.im.infosphere.biginsights.admin.doc/doc/admin_migrate_kms.html#:~:text=The%20main%20difference%20between%20Hadoop%20KMS%20and%20Ranger,KMS%20is%20provided%20through%20the%20Ranger%20admin%20portal.

Ranger KMS is based on Hadoop KMS developed by the Apache community. The main difference between Hadoop KMS and Ranger KMS is that the Hadoop KMS stores keys in a file-based Java keystore where as Ranger allows you to store keys in a secure database. The centralized administration of the Ranger KMS is provided through the Ranger admin portal.

There are three main functions within the Ranger KMS: Key management, Access control policies for key management, and audit. To know how to set up and configure Ranger KMS, visit our knowledge center.

ranger权限管理、rang kms 秘钥管理、kerberos认证服务整合应用(ambari 平台上安装)... - 程序员大本营

Ranger KMS加密HDFS的配置和权限设置

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/496799.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

Python 爬虫学习 系列教程

Python爬虫 --- 中高级爬虫学习路线 :https://www.cnblogs.com/Eeyhan/p/14148832.html 看不清图时,可以把图片保存到本地在打开查看。。。 Python爬虫学习系列教程 From:https://cuiqingcai.com/1052.html 一、爬虫入门 1. Python爬虫入门一…

友盟分享小程序_在线学习应用“小打卡”小程序分享

目前疫情导致只能线上开学,多采用微信群或QQ群发布作业、打卡,结合直播平台在线授课。各科老师加入群,打卡及发布的作业、教师辅导信息容易覆盖同时不能记录下来。在以上应用不变的情况下,应用“小打卡”微信小程序可以很好的解决…

LeCun:现在还没有真正的AI系统,机器与生物系统差远了

安妮 编译自 NYU量子位 出品 | 公众号 QbitAI可能我们现在提到的AI都是假AI。近日,Facebook首席人工智能科学家Yann LeCun在纽约大学坦登工程学院的AI研讨会上谈了谈AI的历史和方向。研讨会上,LeCun提出人工神经网络的学习能力仍十分有限,还不…

Java并发编程实战~不安全的单例

不安全的单例 /*** 不安全的单例.<br>* author gqltt<br>* version 1.0.0 2020年4月7日<br>* see * since JDK 1.5.0*/ public class Singleton {// volatile 修饰保证安全.private static Singleton instance null;public static Singleton getInstance()…

于.net开发平台项目案例集锦

订阅 | 上一篇 | 下一篇 五味笔记 于.net开发平台项目案例集锦 作者:henq 日期:2007-09-14字体大小: 小 中 大基于.net开发平台项目案例集锦 经过微软.net Framework 2.0的革新&#xff0c;.net平台的开发越来越精彩。笔者收集基于.net开发的n个项目&#xff0c;一方面为新手提…

增大表名最大长度_风电叶片材料的发展变迁史,及风力发电机叶片长度发展历程...

2020年&#xff0c;能源领域最火的行业是风电&#xff0c;由于中国出台相关文件&#xff0c;截止12月31日为止&#xff0c;之后装机并网的风电机组将不能够获得电价补贴。这个政策直接推动了国内风电市场的短期井喷。当然宏观因素背景是中国对于环保型电力能源的改革步伐在加快…

重磅,Intel考虑收购博通

来源&#xff1a;腾讯科技概要&#xff1a;3月10日消息&#xff0c;据外媒报道&#xff0c;《华尔街日报》援引知情人士的话报道称&#xff0c;英特尔&#xff08;Intel&#xff09;正在考虑一系列收购方案&#xff0c;包括收购芯片制造商博通&#xff08;Broadcom&#xff09;…

Java并发编程实战~volatile

禁用CPU 缓存 告诉编译器&#xff0c;对这个变量的读写&#xff0c;不能使用 CPU 缓存&#xff0c;必须从内存中读取或者写入 /*** TODO 在此写上类的相关说明.<br>* author gqltt<br>* version 1.0.0 2020年4月8日<br>* see * since JDK 1.5.0*/ public c…

如何在SQL Server 2005中还原数据库

还原数据库的方式 有几种数据库备份的方式就将会有几种还原数据库的 方式&#xff1a; l 完整备份的还原&#xff1a;无论是完整备份、差异备份还是事务日志备份的还原&#xff0c;在第一步都要先做完整备份的还原。完整备份的还原只需要还原完整备份文件即可。 l 差异备份的还…

amd cpu不能在cmd环境下运行java代码_如何在Windows10中配置java的JDK环境

今天给大家分享一下如何配置java的JDK环境。操作步骤如下&#xff1a;1.下载好 jdk 的安装文件&#xff0c;我下载的是 jdk-10.0.1_windows-x64_bin.exe 这个版本的安装文件&#xff1b;2.使用鼠标双击该exe文件&#xff0c;该exe文件会运行安装界面&#xff0c;截图如下&#…

我国医疗机器人产业发展特征分析

来源&#xff1a;雷克世界导语&#xff1a;2016年4月&#xff0c;我国发布了《机器人产业发展规划&#xff08;2016-2020年&#xff09;》&#xff0c;该规划引导我国机器人产业快速健康可持续发展&#xff0c;增强技术创新能力和国际竞争能力&#xff0c;医疗机器人政策长期利…

位枚举(Bit Flags)

场景&#xff1a;如字体&#xff0c;一个字体可以同时拥有枚举里面所列举的一种或者多种风格&#xff0c;这时就需要位枚举 定义&#xff1a; [Flags] publicenumFontStyle { Bold 0x0001, Italic 0x0002, Regular 0x0004, …

华为鸿蒙麒麟玉兔_华为P50除了麒麟9000,还预装鸿蒙系统,比iPhone12值得买

2020年已经临近尾声&#xff0c;各大手机厂商的旗舰机均悉数亮相&#xff0c;消费者的目光也开始逐渐转向2021年的开年旗舰上。而在各大手机厂商的第一批开年旗舰中&#xff0c;华为P系列的新品无疑是最受关注的一款。这主要是因为华为目前仍处于美方制裁下&#xff0c;芯片危机…

2018年智能化发展趋势:语音交互全球开战、AI终端趋势显现

来源&#xff1a;雪球网 作者&#xff1a;西木财经美国知名研究机构CB Insights近日发布重磅报告《2018年必看的人工智能热门趋势》&#xff08;Top AI Trends To Watch In 2018&#xff09;&#xff0c;报告对AI行业发展现状进行了深入研究剖析&#xff0c;并给出了2018年AI…

C++ 对象的内存布局

来源&#xff1a;http://blog.csdn.net/haoel/article/details/3081328 前言 07年12月&#xff0c;我写了一篇《C虚函数表解析》的文章&#xff0c;引起了大家的兴趣。有很多朋友对我的文章留了言&#xff0c;有鼓励我的&#xff0c;有批评我的&#xff0c;还有很多问问题的。…

VB.NET 中的 As New 以及型別指定

常有人以為 VB.NET 程式的執行效能不如 C#&#xff0c;但根據 msdn 的說法&#xff0c;VB.NET 和 C# 都是編譯成 MSIL 中繼語言&#xff0c;因此基本上以二者所寫出來的應用程式也具有相同的效能。最常導致二者在 web 應用程式中&#xff0c;執行效能差異的罪魁禍首&#xff0c…

普华永道:2018 AI预测报告 将回答关于数据的重大问题

来源&#xff1a;网络大数据近日 &#xff0c;普华永道发布关于2018年人工智能趋势预测的报告&#xff0c;同时介绍人工智能对商业、政府和社会的等方面的影响。人工智能非常复杂&#xff0c;且发展迅速。AI 在一些领域做了很多&#xff0c;在另一些领域做得较少&#xff0c;这…

过渡效果_剪映教程:剪映怎么添加视频之间的过渡转场效果?

今天是国庆假期的第三天&#xff0c;直播apk小编今天确实郁闷的无比&#xff0c;因为今天小编所在的老家正在下雨&#xff0c;而且从上午一直下到现在下了整整一天!OMG&#xff0c;浪费了一天的假期。不过还好有你们&#xff0c;小编还可以静下心来给大家写教程&#xff0c;好了…

C++ 多继承和虚继承的内存布局

来源&#xff1a;http://www.oschina.net/translate/cpp-virtual-inheritance 来源&#xff1a;http://www.cnblogs.com/BeyondAnyTime/archive/2012/06/05/2537451.html C中的虚拟继承的一些总结 1.为什么要引入虚拟继承 虚拟继承是多重继承中特有的概念。虚拟基类是为解决…

C++学习之路 | PTA乙级—— 1076 Wifi密码 (15 分)(精简)

1076 Wifi密码 (15 分) 下面是微博上流传的一张照片&#xff1a;“各位亲爱的同学们&#xff0c;鉴于大家有时需要使用 wifi&#xff0c;又怕耽误亲们的学习&#xff0c;现将 wifi 密码设置为下列数学题答案&#xff1a;A-1&#xff1b;B-2&#xff1b;C-3&#xff1b;D-4&…