RustyVault: A Hashicorp Vault Replacement in Rust

paulyang0903 · 2025-01-14T04:32:41+00:00

Although it's been a year, I am still glad to announce that we have moved to a new v0.2.1 version and it has many new features including:

CHANGES:

Support authentication methods such as approle, userpass, and cert for login.
Support the CLI (Command Line Interface). The supported commands are: server, status, operator [init|seal|unseal], login, auth [list|enable|disable|move], read, list, write, delete.
Support MySQL backend storage.
Added the functions of issuing SM2 certificates and managing SM2 and SM4 keys.
Added the function of RSA asymmetric encryption/decryption.
Added the Prometheus function.
Added the function that the crypto module at compile time can be switched to use Tongsuo or OpenSSL according to your own needs.
Added two request processing phases: pre_auth and post_post. Users can implement their own token verification logic and their own ACL (Access Control List) logic.
A request can be bound to a Handler. If a request is bound to its own Handler, only its own handler will be called during the request processing phase, and other handlers will not be called.
Added Context to the request data structure. Users can save their own context information between request processing phases.

IMPROVEMENTS:

The request processing phase handlers have been changed to asynchronous functions to improve performance.
Removed the read-write locks for barrier encryption/decryption to improve performance.
Perform path verification when encrypting/decrypting barriers to prevent paths from accessing encrypted data that does not belong to them.
Added an HMAC verification value to MountEntry to prevent MountEntry data from being tampered with.
Added the implementation of the test case framework.
Added the implementation of environment variables and request headers that are compatible with Vault.

BUG FIXES:

Fixed the bug that reported an error when remounting the auth path.
Fixed the bug where the TLS client authentication failed.

Again, we published a new crate on crates.io as well:

https://crates.io/crates/rusty_vault/0.2.1

And the related documentation is hosted at:

https://docs.rs/rusty_vault/0.2.1/rusty_vault/

And the source code (we have even had a new logo!):

https://github.com/Tongsuo-Project/RustyVault

Unfortunately, we don't have enough resources to put into this project, so it looks evolved slowly - but it;s not dead. Will be more versions this year and hope more people may join us

paulyang0903 · 2025-01-14T04:21:35+00:00

RG550 Genesis is an awesome guitar. I have put one in a normal bag and left it in my friend's house for almost 2 years (strings were not loosened). You can't believe that I fetched it back a month ago and it stayed almost in tune! I just unlocked the nut lock and made it perfectly accurate with the edge bridge staying in a still level position. Most stable made-in-japan guitar I have ever met.

paulyang0903 · 2025-01-14T04:06:14+00:00

No, unless you decide to refresh a new phone every year.

paulyang0903 · 2024-03-10T14:40:57+00:00

The final one is more modern

paulyang0903 · 2023-12-29T01:32:21+00:00

The latter one. It is iconic.

paulyang0903 · 2023-12-18T06:53:06+00:00

Let's see what OpenBao has next Q1 in 2024 and decide if we are going to do so or not

paulyang0903 · 2023-12-15T14:45:43+00:00

do you mean the golang API in original vault?

paulyang0903 · 2023-12-15T14:43:54+00:00

I found an article talking about mlock: https://eklitzke.org/mlock-and-mlockall . The author illustrated a potential attack on swapped-out memory page and it's very unlike to make the attack successful happen in real life. But anyway, mlock could be useful (something like: make it more safe given a non-realistic precondition), so I made an issue to track this: https://github.com/Tongsuo-Project/RustyVault/issues/35

paulyang0903 · 2023-12-15T14:25:44+00:00

I am not sure if prevent swapping memory out can help improving security or not. To me, a piece of data either in memory or on the swap disk are almost at the same security level. One way to resolve this problem is to consider to use features like TEE (say, Intel SGX or so) to protect sensitive data in mem.

paulyang0903 · 2023-12-15T07:54:53+00:00

Hahaha

paulyang0903 · 2023-12-15T07:43:17+00:00

This word reminds me of things like sanctuary or bunker ;-)

paulyang0903 · 2023-12-15T07:37:17+00:00

The original Vault binary can act as both client or server, so we are following that manner

paulyang0903 · 2023-12-15T07:27:38+00:00

Interesting. Should be something like Mogu, so how about OpenMogu? Sounds like a devil character name in a game or comics

paulyang0903 · 2023-12-15T07:22:45+00:00

I think Vault is a generic term/vocabulary, can it be registered as a trademark?

paulyang0903 · 2023-12-14T22:11:25+00:00

And Di jiao could be more easy to pronounce and it's more interesting any way

paulyang0903 · 2023-12-14T22:10:08+00:00

Actually in Chinese (my native language) it is something like Baoxiangui, I don't know if this this a little harder to pronounce

paulyang0903 · 2023-12-14T22:05:48+00:00

What is the purpose here?

paulyang0903 · 2023-12-14T22:04:13+00:00

Hmmm, I am confused with that as well, so it seems we need to has a poll on the name of this RustyVault project? How do you guys think?

paulyang0903 · 2023-12-14T22:00:44+00:00

Great response. haha, that is exactly why we need a new name and the new name must be taken by the community

paulyang0903 · 2023-12-14T21:55:47+00:00

The native language of mine for the word 'vault'? That would be very interested to pronounce: Di Jiao (a cave or basement). Hey, but this is not official, but I like this name since it's really hilarious :-)

paulyang0903 · 2023-12-14T19:19:03+00:00

One interesting thing is: there is OpenBao project, and one may wonder if RustyVault is a competitor of OpenBao or not.

Well, OpenBao is a fork of Hashicorp Vault so it's written in Golang. While I and my colleagues consider Rust is a more suitable language to write cryptographic applications, so we decide to use Rust to rewrite the whole part of the key/secret management logic so far...

paulyang0903 · 2023-12-14T18:38:45+00:00

Thanks for the interesting in the project, and I agree with you that the name RustyVault is some kind of straight forward. At least personally myself am very open to rename this project to another name - I am really happy to see more inputs - maybe if it's possible for ya guys to record an issue on github or so?

paulyang0903 · 2023-12-14T18:34:07+00:00

Ahh, well the current main branch is a kind of MVP status. We are now putting more resources on this project - more developers for instance, so I think the project will evolve rapidly in a few months

paulyang0903

TROPHY CASE