kxd is a key exchange daemon, which serves blobs of data (keys) over https.The main use case is to get keys to open encrypted devices automatically, without having to store them on the local machine.
It's written in Go, and is open source under the MIT licence.
Documentation
- README.
- Quick start.
- Manpages: kxd (server), kxc (client), kxc-cryptsetup (cryptsetup helper).
Source code
- Browse the git repository (github mirror)
git clone https://blitiri.com.ar/repos/kxd
Overview
ServerThe server configuration is stored in a root directory (
/etc/kxd/data), and within there, with per-key directories (e.g.
/etc/kxd/data/host1/key1), each containing the following files:
key: Contains the key to give to the client.allowed_clients: Contains one or more PEM-encoded client certificates that will be allowed to request the key. If not present, then no clients will be allowed to access this key.allowed_hosts: Contains one or more host names (one per line). If not present, then all hosts will be allowed to access that key (as long as they are authorized with a valid client certificate).email_to: Contains one or more email destinations to notify (one per line). If not present, then no notifications will be sent upon key accesses.
The basic command line client (kxc) will take the client key and certificate, the expected server certificate, and a URL to the server (like
kxd://server/host1/key1), and it will print on standard output the
returned key (the contents of the corresponding key file).
There are scripts to tie this with cryptsetup's infrastructure to make the
opening of encrypted devices automatic; see cryptsetup/ for the
details.