mirror of
https://github.com/matter-labs/teepot.git
synced 2025-07-21 15:13:56 +02:00
ddbf099e45
- Added comprehensive README files for the following new crates: - `teepot` - `teepot-tdx-attest-rs` - `teepot-tdx-attest-sys` - `teepot-tee-quote-verification-rs` - `teepot-vault` - Each includes an overview, usage examples, installation instructions, and licensing details.
3.8 KiB
3.8 KiB
teepot-vault
A TEE (Trusted Execution Environment) secret manager that provides secure storage and retrieval of secrets for TEE applications, with a focus on Intel SGX enclaves.
Features
- Remote Attestation: Verify Intel SGX enclaves and other TEEs using attestation reports
- Secure Communication: Establish TLS connections with custom certificate verification based on TEE attestation
- HashiCorp Vault Integration: Store and retrieve secrets with TEE-specific access controls
- Multi-signature Support: PGP-based multi-signature verification for administrative commands
- Configurable TCB Levels: Support for different Trusted Computing Base security levels
Installation
Add this to your Cargo.toml:
[dependencies]
teepot-vault = "0.6.0"
Usage
Creating a Vault Connection
use teepot_vault::client::{AttestationArgs, VaultConnection};
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let args = AttestationArgs {
sgx_mrsigner: Some("your_mrsigner_hex".to_string()),
sgx_mrenclave: Some("your_mrenclave_hex".to_string()),
server: "https://vault.example.com".to_string(),
sgx_allowed_tcb_levels: Some(vec!["Ok".to_string(), "ConfigNeeded".to_string()]),
};
let vault_conn = VaultConnection::new(&args, "my-tee-app".to_string()).await?;
Ok(())
}
Storing and Retrieving Secrets
use serde::{Serialize, Deserialize};
#[derive(Serialize, Deserialize)]
struct MySecret {
api_key: String,
private_key: Vec<u8>,
}
// Store a secret
let my_secret = MySecret {
api_key: "secret-key".to_string(),
private_key: vec![1, 2, 3, 4],
};
vault_conn.store_secret(my_secret, "secrets/my-app/config").await?;
// Retrieve a secret
let secret: MySecret = vault_conn.load_secret("secrets/my-app/config").await?.unwrap();
Custom TEE Connections
For more control over the connection and custom operations:
use teepot_vault::client::TeeConnection;
let tee_conn = TeeConnection::new(&args);
let client = tee_conn.client(); // Get the HTTP client for custom requests
// Perform custom authenticated requests
let response = client
.get("https://vault.example.com/custom/endpoint")
.send()
.await?;
Server Components
The crate also provides server-side utilities for building TEE-aware services:
use teepot_vault::server::{HttpResponseError, Status};
use actix_web::{web, App, HttpServer, Result};
async fn handler() -> Result<String, HttpResponseError> {
// Your TEE service logic here
Ok("Secure response".to_string())
}
#[actix_web::main]
async fn main() -> std::io::Result<()> {
HttpServer::new(|| {
App::new()
.route("/api/secure", web::get().to(handler))
})
.bind("127.0.0.1:8080")?
.run()
.await
}
Requirements
- Rust 1.70 or later
- For SGX support: Intel SGX SDK and PSW (Platform Software)
- HashiCorp Vault instance (for vault operations)
- TEE environment (Intel SGX, Intel TDX, or compatible)
Security Considerations
This crate is designed for use in high-security environments. When using it:
- Always verify attestation reports before trusting a TEE
- Use appropriate TCB levels for your security requirements
- Ensure proper key management for PGP signatures
- Follow HashiCorp Vault best practices for secret management
License
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.