A simple Toolkit to act as a GPG Creator / Signer / Verifier. This abstracts the use of the GPG and makes easy to sign / verify any GPG document using just a POST request.
- Getting Started
- Creating GPG Keys
- Setting up Keys
- Listing loaded private keys
- Unlock Private Key
- Signing Data
- Listing cached public keys
- Verifying Signatures
- Encrypting Data
- Decrypting Data
Agent-UI project has been moved to a separated repository. Check https://github.com/quan-to/agent-ui
These are the Environment Variables that you can set to manage the webserver:
PRIVATE_KEY_FOLDER=> Folder to load / store encrypted private keys. (defaults to './keys')MAX_KEYRING_CACHE_SIZE=> Maximum Number of Public Keys to cache (does not include Private Keys derived Public Keys). (defaults to 1000)SHOW_LINES=> Show filename and lines in logsREQUESTID_HEADER=> Header field to get request IDLOG_FORMAT=> Change log format (default is pipe delimited, provide the valuejsonto log in JSON format)SKS_SERVER=> SKS Server to fetch / put public keys. (defaults to 'http://pgp.mit.edu/')KEY_PREFIX=> Prefix of the name of the keys to load (for example a key prefixtest_will load any key namedtest_XXXX).MODE=> Mode of remote-signer (single_key,default)ON_DEMAND_KEY_LOAD=> Do not attempt to load all keys from keybackend. Load them as needed (defaultsfalse)ENABLE_SWAGGER=> Enables swagger on/swaggerfor Remote Signer. (defaults totrue)SET_EXPOSED_SERVICES=> Enable only services described byEXPOSED_SERVICESEXPOSED_SERVICES=> List of comma separated values with the services that should be exposed__internal=>/__internalendpoint (needed for cluster key password sharing)gpg=>/gpgendpointtests=>/testsendpointkeyRing=>/keyRingendpointsks=>/sksendpointfieldCipher=>/fieldCipherendpointpks=>/pksendpointagent=>/agentendpointagentAdmin=>/agentAdminendpointgraphiql=>/graphiqland/assetsendpointsagent=>/agentendpoint
Remote Signer can use REDIS as a caching layer for GPG Keys and Tokens. If enabled, it also does some in-memory local caching with a smaller TTL. To enable, use the following environment variables:
REDIS_ENABLE=>trueif should be enabled (default: false)REDIS_TLS_ENABLED=>trueif TLS is enabled (default: false)REDIS_HOST=> Hostname of the REDIS server (default: localhost:6379)REDIS_USER=> Username of the REDIS serverREDIS_PASS=> Password of the REDIS serverREDIS_MAX_LOCAL_TTL=> Max local object TTL (in golang duration format):default: 5mREDIS_MAX_LOCAL_OBJECTS=> Max local objects (default: 100)REDIS_CLUSTER_MODE=> If the redis host is running in cluster mode. (default: false)
AGENT_TARGET_URL=> Target URL for Quanto Agent (defaults tohttps://quanto-api.com.br/all)AGENT_KEY_FINGERPRINT=> Default Key FingerPrint for AgentAGENT_BYPASS_LOGIN=> If the Login for using Quanto Agent should be bypassed. DO NOT USE THIS IN EXPOSED REMOTESIGNERAGENT_EXTERNAL_URL=> External URL used by GraphiQL to access agent. Defaults to/agentAGENT_FORCE_URL=> If true, forces agent URL to be the value defined byAGENT_TARGET_URLAGENTADMIN_EXTERNAL_URL=> External URL used by GraphiQL to access agent admin. Defaults to/agentAdminREADONLY_KEYPATH=> If the keypath is readonly. Iftruethen it will create a temporary folder in/tmpand copy all keys to there so it can work over it.HTTP_PORT=> HTTP Port that Remote Signer will run- Single Key Mode (
MODE=single_key)SINGLE_KEY_PATH=> Path for the key to load as private keySINGLE_KEY_PASSWORD=> Password of the key to load as private key
MASTER_GPG_KEY_PATH=> Master GPG Key PathMASTER_GPG_KEY_PASSWORD_PATH=> Master GPG Key Password PathMASTER_GPG_KEY_BASE64_ENCODED=> If the Master GPG Key is base64 encoded (default: true)SYSLOG_IP=> IP of the Syslog Server to send Console Messages (defaults to '127.0.0.1') Does not apply for WindowsSYSLOG_FACILITY=> Facility of the Syslog to use. (defaults to 'LOG_USER')
VAULT_STORAGE=> If a Hashicorp Vault should be used to store private keys instead of the disk (defaultsfalse)VAULT_ADDRESS=> Hashicorp Vault URLVAULT_SKIP_VERIFY=> Hashicorp Vault Skip Verify SSL Certs on ConnectionVAULT_ROOT_TOKEN=> Hashicorp Vault Root TokenVAULT_TOKEN_TTL=> Hashicorp Vault Token TTL (for example24h, default is768h. For more information see https://golang.org/pkg/time/#ParseDuration)VAULT_BACKEND=> Hashicorp Vault Backend (for examplesecret)VAULT_NAMESPACE=> if a Hashicorp Vault Namespace to use (appended to backend, for example if namespace isremote-signerthe keys are stored undersecret/remote-signer)
ENABLE_DATABASE=> Enables using database for Key Store (default: false)DATABASE_DIALECT=> Dialect of the Database connection (postgres,rethinkdb. Defaults: none)CONNECTION_STRING=> Connection string for the database.DATABASE_TOKEN_MANAGER=> Use database connection to manage tokensDATABASE_AUTH_MANAGER=> Use database connection to manage agent logins
RethinkDB Usage is deprecated and discouraged
ENABLE_RETHINKDB_SKS=> Enables Internal SKS Server using RethinkDB (default: false)- Use
DATABASE_DIALECT=rethinkdbinstead
- Use
RETHINK_TOKEN_MANAGER=> If a TokenManager using RethinkDB Should be used (defaults tofalse, uses MemoryTokenManager) [Requires ENABLE_RETHINK_SKS]- Use
DATABASE_TOKEN_MANAGERinstead
- Use
RETHINK_AUTH_MANAGER=> If a AuthManager using RethinkDB Should be used (defaults tofalse, uses JSONAuthManager) [Requires ENABLE_RETHINK_SKS]- Use
DATABASE_AUTH_MANAGERinstead
- Use
RETHINKDB_HOST=> Hostname of RethinkDB Server (default: "rethinkdb")RETHINKDB_USERNAME=> Username of RethinkDB Server (default "admin")RETHINKDB_PASSWORD=> Password of RethinKDB ServerRETHINKDB_PORT=> Port of RethinkDB Server (default 28015)DATABASE_NAME=> RethinkDB Database Name (default "remote_signer")