#secret #service #key #secret-management #root-key #chamber #self-hostable

bin+lib chamber-cli

The CLI for Chamber, the self-hostable SecretOps service

2 unstable releases

0.2.0 Dec 30, 2023
0.1.0 Dec 25, 2023

#1502 in Cryptography

MIT license

65KB
1.5K SLoC

chamber: A self-hostable SecretOps service.

Do you have NIH syndrome? Me too, which is why I made this web service so I can avoid the complexity of having to use Hashicorp Vault.

Usage

The easiest way to start using Chamber is via the CLI. You will need to install it using the following:

cargo install chamber-cli

You'll want to then set the URL of your Chamber instance using chamber website set [VALUE].

Initially when you load up the web service, a root key will be auto generated for you that you can find in the logs. You will need to use this key to unseal the web service using chamber unseal [VALUE].

Once this is done, you can then generate a chamber.bin file using chamber keygen and use chamber upload to upload the new keyfile to the web service to reset your seal key (and cryptographic key)!

Deployment to Shuttle

To deploy this as a Shuttle service, run the following:

cargo shuttle init --from joshua-mo-143/chamber --subfolder chamber-server

You will probably want to use chamber keygen to generate a new keyfile and include it in your project root. This will allow you to keep your keyfile persistent across deployments. shuttle-persist support is planned to make it easier to persist your keyfiles.

Dockerfile Deployment

Deploy on Railway A dockerfile has been added for your convenience.

The dockerfile takes the DATABASE_URL and PORT environment variables.

Features

  • Store your secrets in a self-hostable web server
  • Lock and unlock your instance using root key
  • Encrypt your secrets using AES-256-GCM
  • IAM system that allows you to lock secrets by role whitelist and power level
  • Categorise your secrets easily using tags
  • Postgres backend (multiple backends to be supported in future)
  • Written in Rust

Future short-term features

  • Secrets will be encrypted and signed

Long(er) Term Roadmap

  • Logging/tracing
  • SDK

How Chamber works

There are several moving parts to Chamber:

  • A web server that has can be unlocked and locked as required
  • A command-line interface that serves as the current primary way to interact with a Chamber server
  • The core (which holds methods for storing data, encryption and decryption, and other misc things)

How secure is Chamber?

Please refer to the SECURITY.md file for a full explanation.

For the TL;DR: This service is reasonably secure if you are using it for small scale projects. Work is being done to enhance the security as outlined in the aforementioned file. Expect the API to be unstable.

Dependencies

~36–51MB
~1M SLoC