Tang in a Lambda with Database, written in Rust.
A serverless high-availability/fault-tolerant Tang server with broad backend support. This crate provides backend functionality and secret recovery functionality, which can be served by a small web application or serverless function.
The current focus is the AWS serverless platform, leveraging Lambda and DynamoDB, which can scale down to zero for small deployments, and can scale up as far up as your budget will allow.
The TLDR Lib is fork of Martyn P's Tangy-Lib, which reimplements the core functionality of Latchset's Tang server.
TLDR Lib diverges from Tangy-Lib by using a database to store keys, rather than a filesystem. The initial focus will be on DynamoDB to facilitate small AWS deployments.
The Tang protocol allows clients to store secrets which can only be recovered when they have access to the Tang server. For example, the Clevis tools allows the automated decryption of LUKS partitions when the encrypted device is connected to the local network that Tang is accessible on.
See the original Tang project for a complete description: https://github.com/latchset/tang
Fraser Tweedale's 2020 Linux Conference Australia talk on "Clevis and Tang: securing your secrets at rest" is a great resource:
Installation via cargo:
cargo add tldr-libOr directly using in the dependencies section of Cargo.toml:
[dependencies]
tldr-lib = "0.1"Tldr-lib has an initialization method which takes a URL as input:
use tldr_lib::{KeySource, TangyLib};
use url::Url;
let url = Url::parse("file://path/to/store"); // File-based backend
let url = Url::parse("dynamodb://"); // All args from environment, default table is tldr-keys
let url = Url::parse("dynamodb:///custom-table");
let url = Url::parse("dynamodb://localhost:8000/custom-table?insecure=true");
// More backends to come!
let mut tangy = TangyLib::new(url).unwrap();If the LocalDir does not contain a key set, a new key set is generated and saved to that folder.
The local directory and vector load methods will process the keys and generate errors if a JWK cannot be loaded or if some keys are missing an std::io::Error is returned with kind set to std::io::ErrorKind::Unsupported or std::io::ErrorKind::NotFound.
If init returns Ok then everything else should work.
Tang uses advertise and recovery stages, to generate an advertise response and then recovery response:
use tangy_lib::{KeySource, TangyLib};
let mut tangy = TangyLib::init(KeySource::LocalDir(&dir_path));
let adv = tangy.adv(None).unwrap();
let rec = tangy.rec(&kid, &data).unwrap();Where the parameter passed to adv is a thumbprint of which signing key to use, often set to None which will use all signing keys. If the signing key is set but not found adv will return Err(std::io::Error) with ErrorKind set to std::io::ErrorKind::NotFound.
For recovery the thumbprint of the Elliptic Curve Message Recovery (ECMR) key, and the data is public key generated by the client in JWK format.
A key creation mechanism is provided:
let keys : Vec<String> = tangy_lib::create_new_key_set();It creates ES512 and ECMR keys.
The original author of Tangy is Martyn P.
The original authors of Tang are Latchset. Tang is based on the protocol described by Nathaniel McCallum and Robert Relyea (https://marc.info/?m=144173814525805).
Apache-2.0 or MIT - you decide!
Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you, as defined in the Apache-2.0 license, shall be dual licensed (Apache-2.0 and MIT), without any additional terms or conditions.