Minivault
Local credentials vault with a granular permission model.
Credential access can be granted by executable path, UIDs and GIDs.
This allow more secure handling of credentials compared to the file system access control
Usage
Application side:
-
Fetch credentials using HTTP: http://127.0.0.1:5588/v1/MyCredentialName
-
Delete credentials from memory immediately after use. Fetch it again when needed.
Minivault:
-
Configure credentials in /etc/minivault.conf (See example.conf)
-
Access can be filtered by executable paths, UIDs, GIDs
-
If the binpaths, gids, uids keys are not specified anything will match
Example:
{
"format-version": 1,
"credentials": {
"mycredential": {
"binpaths": ["/usr/bin/curl"],
"gids": [1000],
"uids": [1000, 1001],
"value": "This is the secret value. Only curl can fetch it."
},
"credentials2": {
"uids": [1000],
"value": "Every application run by the user with ID 1000 can read this"
},
"credentials3": {
"binpaths": ["/usr/bin/python"],
"value": "Every application written in Python, regardless of UID/GID, can read this (!)"
}
}
}
System-wide installation
Install Nim (devel or later than 0.19.4) on Debian/Ubuntu with:
sudo apt install nim
Build and install the package with:
nimble build_deb sudo dpkg -i ../minivault_*.deb
Monitor with:
sudo journalctl -f -u minivault
Local run
Build a binary with:
nimble build
Run:
./minivault
Contributing
Testing and PRs are welcome.