A lightweight Secrets Management System demonstrating PKI and secrets platform concepts.
- REST API for secret management (create, read, update, delete)
- AES-256-GCM encryption for secrets at rest
- Mutual TLS authentication
- SQLite storage backend
- Audit logging
- Kubernetes secrets sync simulation
- Go 1.21 or later
- OpenSSL (for certificate generation)
- Generate certificates:
./scripts/generate-certs.sh- Set the master encryption key:
export MASTER_KEY=$(openssl rand -hex 32)- Run the server:
go run cmd/server/main.goPOST /secret- Store a new secretGET /secret/:name- Retrieve a secretPUT /secret/:name- Rotate a secretDELETE /secret/:name- Delete a secretPOST /sync/k8s- Sync secrets to Kubernetes
- Mutual TLS authentication
- AES-256-GCM encryption
- Audit logging
- Certificate-based client authentication
.
├── cmd/
│ └── server/
│ └── main.go
├── internal/
│ ├── crypto/
│ │ └── crypto.go
│ ├── storage/
│ │ └── storage.go
│ ├── handlers/
│ │ └── handlers.go
│ └── certs/
│ └── certs.go
├── scripts/
│ └── generate-certs.sh
└── certs/
├── ca/
├── server/
└── client/
The scripts/generate-certs.sh script creates:
- Root CA certificate
- Server certificate
- Client certificate
go test ./...- Master key should be stored securely in production
- Regular key rotation is recommended
- Audit logs should be monitored
- Client certificates should be properly managed
MIT