Skip to content

Commit

Permalink
Merge pull request #1 from MGTheTrain/feature/crypto-operations
Browse files Browse the repository at this point in the history 
Feature/crypto operations
  • Loading branch information
@MGTheTrain
MGTheTrain authored Nov 12, 2024
2 parents acfcb97 + 2a4f20d commit e0a2b3a
Show file tree
Hide file tree
Showing 28 changed files with 1,019 additions and 5 deletions.
11 changes: 6 additions & 5 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@

## Summary

RESTful Web API for managing cryptographic material (x.509 certs and keys) and securing data at rest (metadata, BLOB)
RESTful Web API for managing cryptographic keys and securing data at rest (metadata, BLOB)

## References

Expand All @@ -20,10 +20,11 @@ TBD
### Functional

- [ ] **Provide RESTful API for cryptographic operations**: Expose endpoints for managing cryptographic material and securing data (files, metadata) at rest.
- [ ] **Asymmetric encryption and decryption**: Support RSA, ECC and other asymmetric encryption algorithms for data protection.
- [ ] **Symmetric encryption**: Support for symmetric key encryption (e.g. AES) for data protection.
- [ ] **Manage cryptographic material**: Enable management of X.509 certificates, private/public key pairs and symmetric keys (generation, import/export, rotation, etc.).
- [ ] **Hashing and signature verification**: Support hashing algorithms (e.g. SHA-256, SHA-512) and verify signatures using asymmetric keys (RSA, ECDSA, etc.).
- [x] **Asymmetric encryption and decryption**: Support RSA and other asymmetric encryption algorithms for data protection.
- [x] **Symmetric encryption**: Support for symmetric key encryption (e.g. AES) for data protection.
- [x] **Hashing and signature verification**: Support hashing algorithms (e.g. SHA-256, SHA-512) and verify signatures using asymmetric keys (RSA, ECDSA, etc.).
- [ ] **PKCS#11 integration**: Enable key management in FIPS-compliant hardware or software.
- [ ] **Manage cryptographic material**: Enable management of private/public key pairs and symmetric keys (generation, import/export, rotation, etc.).
- [ ] **Key management lifecycle**: Implement key lifecycle management (generation, rotation, revocation, expiration).
- [ ] **Secure file storage integration**: Provide mechanisms to securely store encrypted files in BLOB storage (e.g. AWS S3, Azure Blob Storage, Google Cloud Storage).
- [ ] **Access control**: Implement role-based access control (RBAC) for APIs ensuring that only authorized users can perform operations on cryptographic material.
Expand Down
69 changes: 69 additions & 0 deletions cmd/crypto-vault-cli/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
# crypto-vault-cli

`crypto-vault-cli` is a command-line tool for file encryption and decryption using AES, RSA and EC algorithms. It provides an easy interface to securely encrypt and decrypt files using symmetric (AES) and asymmetric (RSA, EC) cryptography.

## Prerequisites

- Install Go from the official Go website, or use this [devcontainer.json](../../.devcontainer/devcontainer.json) with the [DevContainer extensions in VS Code or other IDE supporting DevContainers](https://marketplace.visualstudio.com/items?itemName=ms-vscode-remote.remote-containers)

## Getting Started

### Encryption/Decryption

**AES example**

```sh
# Encryption
go run crypto-vault-cli.go encrypt-aes --input data/input.txt --output data/output.enc --keySize 16 --keyDir data/
# Decryption
go run crypto-vault-cli.go decrypt-aes --input data/output.enc --output data/decrypted.txt --keyDir data/
```

**RSA Example considering external key generation**

```sh
cd data
openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
cd -

# Encryption
go run crypto-vault-cli.go encrypt-rsa --input data/input.txt --output data/encryptedII.txt --publicKey data/public_key.pem

# Decryption
go run crypto-vault-cli.go decrypt-rsa --input data/encryptedII.txt --output data/decryptedII.txt --privateKey data/private_key.pem
```

**RSA Example considering internal key generation**

```sh
# Encryption
go run crypto-vault-cli.go encrypt-rsa --input data/input.txt --output data/encryptedII.txt

# Decryption
go run crypto-vault-cli.go decrypt-rsa --input data/encryptedII.txt --output data/decryptedII.txt --privateKey data/private_key.pem
```

**RSA with PKCS#11 Example considering external key generation**

```sh
TBD
```

**RSA with PKCS#11 Example considering internal key generation**

```sh
TBD
```

### Hashing / Verifying signatures

**ECDSA Example considering internal key generation**

```sh
# Sign a file with a newly generated ECC key pair (internally generated)
go run crypto-vault-cli.go sign-ecc --input data/input.txt --keyDir data

# Verify the signature using the generated public key
go run crypto-vault-cli.go verify-ecc --input data/input.txt --publicKey data/public_key.pem --signature data/signature.sig
```
Loading

0 comments on commit e0a2b3a

Please sign in to comment.